Skip to main content

OpenSSL Multiple Vulnerabilities

Last Update Date: 6 Jun 2014 11:01 Release Date: 6 Jun 2014 4231 Views

RISK: High Risk

TYPE: Security software and application - Security Software & Appliance

TYPE: Security Software & Appliance

Multiple vulnerabilities have been identified in OpenSSL, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

  1. An error when handling SSL/TLS handshakes can be exploited to force the use of weak keying material via a specially crafted handshake and subsequently conduct the Man-in-the-Middle (MitM) attacks.
  2. An error within the OpenSSL DTLS client can be exploited to cause a recursion and a crash via a specially crafted DTLS handshake.
  3. An error within the OpenSSL DTLS implementation can be exploited to cause a buffer overflow via specially crafted DTLS fragments.
  4. A NULL pointer dereference error within the "do_ssl3_write()" function can be exploited to cause a crash. Successful exploitation of this vulnerability requires SSL_MODE_RELEASE_BUFFERS to be enabled.
  5. An error within anonymous ECDH ciphersuites can be exploited to cause a DoS within the OpenSSL client.

Impact

  • Denial of Service
  • Remote Code Execution
  • Information Disclosure
  • Data Manipulation

System / Technologies affected

  • Versions prior to 0.9.8za, 1.0.0m or 1.0.1h.

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Update to versions 0.9.8za, 1.0.0m or 1.0.1h.

Vulnerability Identifier


Source


Related Link