This script is Copyright (C) 2010-2012 Tenable Network Security, Inc.
The remote web server has multiple SSL-related vulnerabilities.
According to its banner, the remote web server uses a version of
OpenSSL older than 0.9.8m. Such versions have the following
- Session renegotiations are not handled properly, which could
be exploited to insert arbitrary plaintext by a
- The library does not check for a NULL return value from calls
to the bn_wexpand() function, which has unspecified impact.
- A memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c
allows remote attackers to cause a denial of service via vectors that
trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function.
For this vulnerability to be exploitable, compression must be enabled in OpenSSL
for SSL/TLS connections.
See also :
Upgrade to OpenSSL 0.9.8m or later.
Risk factor :
Critical / CVSS Base Score : 10.0
CVSS Temporal Score : 8.3
Public Exploit Available : true