OpenSSL Multiple Vulnerabilities
Last Update Date:
6 Jun 2014 11:01
Release Date:
6 Jun 2014
4231
Views
RISK: High Risk
TYPE: Security software and application - Security Software & Appliance
Multiple vulnerabilities have been identified in OpenSSL, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.
- An error when handling SSL/TLS handshakes can be exploited to force the use of weak keying material via a specially crafted handshake and subsequently conduct the Man-in-the-Middle (MitM) attacks.
- An error within the OpenSSL DTLS client can be exploited to cause a recursion and a crash via a specially crafted DTLS handshake.
- An error within the OpenSSL DTLS implementation can be exploited to cause a buffer overflow via specially crafted DTLS fragments.
- A NULL pointer dereference error within the "do_ssl3_write()" function can be exploited to cause a crash. Successful exploitation of this vulnerability requires SSL_MODE_RELEASE_BUFFERS to be enabled.
- An error within anonymous ECDH ciphersuites can be exploited to cause a DoS within the OpenSSL client.
Impact
- Denial of Service
- Remote Code Execution
- Information Disclosure
- Data Manipulation
System / Technologies affected
- Versions prior to 0.9.8za, 1.0.0m or 1.0.1h.
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Update to versions 0.9.8za, 1.0.0m or 1.0.1h.
Vulnerability Identifier
Source
Related Link
Share with