#VU32589 Cryptographic issues in OpenSSL


Published: 2013-12-24 | Updated: 2020-07-28

Vulnerability identifier: #VU32589

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-6449

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 1.0.0 - 1.0.0t, 1.0.1 - 1.0.1u

External links
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ca989269a2876bae79393bd54c3e72d49975fc75
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124833.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-December/124858.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00006.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00009.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00012.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00031.html
http://rhn.redhat.com/errata/RHSA-2014-0015.html
http://rhn.redhat.com/errata/RHSA-2014-0041.html
http://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest
http://seclists.org/fulldisclosure/2014/Dec/23
http://security.gentoo.org/glsa/glsa-201412-39.xml
http://www.debian.org/security/2014/dsa-2833
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.securityfocus.com/bid/64530
http://www.securitytracker.com/id/1029548
http://www.ubuntu.com/usn/USN-2079-1
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
http://www-01.ibm.com/support/docview.wss?uid=isg400001841
http://www-01.ibm.com/support/docview.wss?uid=isg400001843
http://bugzilla.redhat.com/show_bug.cgi?id=1045363
http://issues.apache.org/jira/browse/TS-2355

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems
Gentoo update for OpenSSL
Amazon Linux AMI update for openssl
Cryptographic issues in openssl (Alpine package)
Slackware Linux update for openssl
Cryptographic issues in OpenSSL