SB2015011003 - Multiple vulnerabilities in HP SSL for OpenVMS



SB2015011003 - Multiple vulnerabilities in HP SSL for OpenVMS

Published: January 10, 2015 Updated: April 26, 2023

Security Bulletin ID SB2015011003
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 75% Low 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 vulnerabilities.


1) Command Injection (CVE-ID: CVE-2014-3556)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.


2) Session Ticket Memory Leak (CVE-ID: CVE-2014-3567)

CWE-ID: CWE-401 - Missing release of memory after effective lifetime

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause denial of service.

The vulnerability exists due to an error when handling integrity of session tickets in OpenSSL. A remote attacker can send a large number of invalid session tickets and cause denial of service conditions.

Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.

3) Forced SSLv3 support (CVE-ID: CVE-2014-3568)

CWE-ID: CWE-749 - Exposed Dangerous Method or Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to force SSLv3 usage.

When OpenSSL is configured with "no-ssl3" as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. A remote attacker can force SSLv3 usage and perfom a variety of attacks against SSLv3 protocol

Successful exploitation of the vulnerability may allow an attacker to obtain potentially sensitive information.

4) Information disclosure (CVE-ID: CVE-2014-3566)

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Green


The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to usage of insecure SSLv3 protocol in OpenSSL. A remote attacker can force the current connection between user and server to be downgraded to SSLv3 protocol and then use padding-oracle attack on Cypher-block chaining (CBC) mode to decrypt encrypted communication.

Successful exploitation of the vulnerability may allow an attacker to read encrypted communications in clear text.

Note: The vulnerability is known as POODLE.

Remediation

Install update from vendor's website.