Vulnerability ID 5260

OpenSSL up to 1.0.1 ASN.1 Parser asn1_d2i_read_bio() buffer overflow

CVSSv3 Temp ScoreCurrent Exploit Price (≈)

A vulnerability has been found in OpenSSL up to 1.0.1 and classified as critical. This vulnerability affects the function asn1_d2i_read_bio() of the component ASN.1 Parser. The manipulation with an unknown input leads to a buffer overflow vulnerability. As an impact it is known to affect confidentiality, integrity, and availability.

The weakness was published 04/19/2012 by Tavis Ormandy (@taviso) with Google Security Team. The advisory is shared for download at The public release has been coordinated with the vendor. This vulnerability was named CVE-2012-2110 since 04/04/2012. The exploitation appears to be difficult. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Technical details and also a public exploit are known.

After immediately, there has been an exploit disclosed. As 0-day the estimated underground price was around $50k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 68672 (Oracle Linux 4 : openssl (ELSA-2012-2011)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks, running in the context local and relying on port 0.

Upgrading to version 1.0.1a, 1.0.0i or 0.9.8v eliminates this vulnerability. It is possible to mitigate the weakness by firewalling tcp/443 (https). The best possible mitigation is suggested to be upgrading to the latest version. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The vulnerability is also documented in the databases at SecurityFocus (BID 53158), X-Force (74926) and Vulnerability Center (SBV-34950).


Base Score: 9.0 [?]
Temp Score: 8.6 [?]
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:X/RL:O/RC:X [?]
Reliability: High


Base Score: 7.6 (CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C) [?]
Temp Score: 6.6 (CVSS2#E:ND/RL:OF/RC:ND) [?]
Reliability: High




Class: Buffer overflow (CWE-119)
Local: No
Remote: Yes

Availability: Yes
Access: Public

Current Price Estimation: $50k-$100k (0-day) / $2k-$5k (Today)


Nessus ID: 68672
Nessus Name: Oracle Linux 4 : openssl (ELSA-2012-2011)
Nessus File: aix_openssl_advisory4.nasl
Nessus Family: Oracle Linux Local Security Checks
Nessus Context: local
Nessus Port: 0
OpenVAS ID: 71259
OpenVAS Name: Debian Security Advisory DSA 2454-1 (openssl)
OpenVAS File: deb_2454_1.nasl
OpenVAS Family: Debian Local Security Checks
Exploit-DB: 18756


Recommended: Upgrade
Status: Official fix
Reaction Time: 0 days since reported
0-Day Time: 0 days since found
Exposure Time: 0 days since known
Exploit Delay Time: 0 days since known

Upgrade: OpenSSL 1.0.1a/1.0.0i/0.9.8v
Firewalling: tcp/443 (https)


04/04/2012 CVE assigned
04/19/2012 +15 days Advisory disclosed
04/19/2012 +0 days Exploit disclosed
04/19/2012 +0 days Countermeasure disclosed
04/19/2012 +0 days NVD disclosed
04/19/2012 +0 days OSVDB entry created
04/19/2012 +0 days VulnerabilityCenter entry assigned
04/20/2012 +1 days VulDB entry created
04/24/2012 +4 days VulnerabilityCenter entry created
07/12/2013 +444 days Nessus plugin released
06/22/2015 +710 days VulnerabilityCenter entry updated
07/08/2015 +17 days VulDB entry updated


Researcher: Tavis Ormandy (@taviso)
Organization: Google Security Team
Coordinated: Yes

CVE: CVE-2012-2110 ( ( (

SecurityFocus: 53158 - OpenSSL Encoded ASN.1 Data Integer Truncation Memory Corruption Vulnerability
X-Force: 74926
Vulnerability Center: 34950 - OpenSSL \x27asn1_d2i_read_bio\x27 Buffer Overflow Allows Remote DoS via Crafted DER Data, Medium
OSVDB: 81223


Created: 04/20/2012
Updated: 07/08/2015
Entry: 92.4% complete