The yaSSL SSL implementation has been discovered to be vulnerable to numerous vulnerabilities, allowing up to remote code execution and authentication bypassing.

As yaSSL is included with MySQL, the vulnerabilities recently discovered also weaken other applications.

Description:

Luigi Auriemma has discovered numerous vulnerabilities affecting the open source yaSSL SSL implementation. These vulnerabilities include allowing authentication bypass and arbitrary code execution.

These vulnerabilities also affect other products, due to yaSSL being included in products such as MySQL. Exploit code samples have also been released.

Mitigation:

There is no current mitigation advice beyond securing access to the ports used by yaSSL (for embedded versions), or replacing it with an alternative SSL implementation.

Updates:

Not yet Available

Source:

Luigi Auriemma (http://aluigi.org)

Exploits:

http://aluigi.org/poc/yasslick.zip

Not yet Identified