#VU1083 Denial of service


Published: 2016-10-24 | Updated: 2018-03-30

Vulnerability identifier: #VU1083

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-8610

CWE-ID: CWE-388

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description
The vulnerability allows a remote unauthenticated user to exhaust memory on the target system.
The weakness is due to improper handling of certain packets by the ssl3_read_bytes() function in 'ssl/s3_pkt.c.
By sending a flood of SSL3_AL_WARNING alerts during the SSL handshake, a remote attacker can consume excessive CPU resources that may lead to OpenSSL library being unavailable.
Successful exploitation of the vulnerability results in denial of service on the vulnerable system.

Mitigation
Update to version 1.0.2j, 1.1.0b.

Vulnerable software versions

OpenSSL: 1.0.1 - 1.0.1u, 1.0.2 - 1.0.2i, 1.1.0 - 1.1.0a, 0.9.8 - 0.9.8zg, 1.0.0 - 1.0.0s, 0.9.1b - 0.9.1c, 0.9.7 - 0.9.7m, 0.9.3 - 0.9.3a, 0.9.5 - 0.9.5a, 0.9.6 - 0.9.6m


CPE

External links
http://www.openssl.org/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability