CVE-2010-4180

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

References

http://cvs.openssl.org/chngview?cn=20131

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777

http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.html

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html

http://marc.info/?l=bugtraq&m=129916880600544&w=2

http://marc.info/?l=bugtraq&m=130497251507577&w=2

http://marc.info/?l=bugtraq&m=132077688910227&w=2

http://openssl.org/news/secadv_20101202.txt

http://osvdb.org/69565

http://secunia.com/advisories/42469

http://secunia.com/advisories/42473

http://secunia.com/advisories/42493

http://secunia.com/advisories/42571

http://secunia.com/advisories/42620

http://secunia.com/advisories/42811

http://secunia.com/advisories/42877

http://secunia.com/advisories/43169

http://secunia.com/advisories/43170

http://secunia.com/advisories/43171

http://secunia.com/advisories/43172

http://secunia.com/advisories/43173

http://secunia.com/advisories/44269

http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668471

http://support.apple.com/kb/HT4723

http://ubuntu.com/usn/usn-1029-1

http://www.debian.org/security/2011/dsa-2141

http://www.kb.cert.org/vuls/id/737740

http://www.mandriva.com/security/advisories?name=MDVSA-2010:248

http://www.redhat.com/support/errata/RHSA-2010-0977.html

http://www.redhat.com/support/errata/RHSA-2010-0978.html

http://www.redhat.com/support/errata/RHSA-2010-0979.html

http://www.redhat.com/support/errata/RHSA-2011-0896.html

http://www.securityfocus.com/archive/1/522176

http://www.securityfocus.com/bid/45164

http://www.securitytracker.com/id?1024822

http://www.vupen.com/english/advisories/2010/3120

http://www.vupen.com/english/advisories/2010/3122

http://www.vupen.com/english/advisories/2010/3134

http://www.vupen.com/english/advisories/2010/3188

http://www.vupen.com/english/advisories/2011/0032

http://www.vupen.com/english/advisories/2011/0076

http://www.vupen.com/english/advisories/2011/0268

https://bugzilla.redhat.com/show_bug.cgi?id=659462

https://kb.bluecoat.com/index?page=content&id=SA53&actp=LIST

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18910

Details

Source: MITRE

Published: 2010-12-06

Updated: 2017-09-19

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:0.9.1c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.2b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.3:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.3a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.4:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5a:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5a:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6a:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6a:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6a:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta4:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta5:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:beta6:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8n:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8o:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions up to 0.9.8p (inclusive)

Configuration 2

OR

cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*

Tenable Plugins

View all (51 total)

IDNameProductFamilySeverity
127201NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl Multiple Vulnerabilities (NS-SA-2019-0033)NessusNewStart CGSL Local Security Checks
critical
125000EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1547)NessusHuawei Local Security Checks
medium
108092Solaris 10 (x86) : 146859-01NessusSolaris Local Security Checks
medium
107599Solaris 10 (sparc) : 146857-01NessusSolaris Local Security Checks
medium
89681VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0013) (remote check)NessusMisc.
critical
89038VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check)NessusMisc.
high
79532OracleVM 3.2 : onpenssl (OVMSA-2014-0008)NessusOracleVM Local Security Checks
high
79531OracleVM 2.2 : openssl (OVMSA-2014-0007)NessusOracleVM Local Security Checks
high
75806openSUSE Security Update : curl (openSUSE-SU-2012:0229-1) (BEAST)NessusSuSE Local Security Checks
high
75802openSUSE Security Update : compat-openssl097g (openSUSE-SU-2011:0845-1)NessusSuSE Local Security Checks
medium
75594openSUSE Security Update : libopenssl-devel (openSUSE-SU-2011:0014-1)NessusSuSE Local Security Checks
medium
75453openSUSE Security Update : compat-openssl097g (openSUSE-SU-2011:0845-1)NessusSuSE Local Security Checks
medium
74807openSUSE Security Update : curl (openSUSE-2012-76) (BEAST)NessusSuSE Local Security Checks
high
73560AIX OpenSSL Advisory : openssl_advisory2.ascNessusAIX Local Security Checks
high
70885ESXi 5.0 < Build 912577 Multiple Vulnerabilities (remote check)NessusMisc.
high
68165Oracle Linux 6 : openssl (ELSA-2010-0979)NessusOracle Linux Local Security Checks
medium
68164Oracle Linux 5 : openssl (ELSA-2010-0978)NessusOracle Linux Local Security Checks
medium
68163Oracle Linux 4 : openssl (ELSA-2010-0977)NessusOracle Linux Local Security Checks
critical
67223SuSE 10 Security Update : libcurl4 (ZYPP Patch Number 8618) (BEAST)NessusSuSE Local Security Checks
medium
61747VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party librariesNessusVMware ESX Local Security Checks
critical
60922Scientific Linux Security Update : openssl on SL6.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60921Scientific Linux Security Update : openssl on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
critical
57233SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 7462)NessusSuSE Local Security Checks
medium
57170SuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 7645)NessusSuSE Local Security Checks
medium
56665VMSA-2011-0013 : VMware third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXNessusVMware ESX Local Security Checks
critical
56425GLSA-201110-01 : OpenSSL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
55715SuSE 10 Security Update : compat-openssl097g (ZYPP Patch Number 7644)NessusSuSE Local Security Checks
medium
55711SuSE 11.1 Security Update : compat-openssl097g (SAT Patch Number 4913)NessusSuSE Local Security Checks
medium
55416Mac OS X 10.6.x < 10.6.8 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
critical
800790Mac OS X 10.6 < 10.6.8 Multiple VulnerabilitiesLog Correlation EngineOperating System Detection
high
5968Mac OS X 10.6 < 10.6.8 Multiple VulnerabilitiesNessus Network MonitorGeneric
critical
53751openSUSE Security Update : libopenssl-devel (openSUSE-SU-2011:0014-1)NessusSuSE Local Security Checks
medium
53676openSUSE Security Update : libopenssl-devel (openSUSE-SU-2011:0014-1)NessusSuSE Local Security Checks
medium
53640SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 7463)NessusSuSE Local Security Checks
medium
53637SuSE9 Security Update : OpenSSL (YOU Patch Number 12701)NessusSuSE Local Security Checks
medium
51892OpenSSL SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG Session Resume Ciphersuite Downgrade IssueNessusGeneral
medium
51781CentOS 4 : openssl (CESA-2010:0977)NessusCentOS Local Security Checks
critical
51620SuSE 11.1 Security Update : libopenssl (SAT Patch Number 3661)NessusSuSE Local Security Checks
medium
51440Debian DSA-2141-1 : openssl - SSL/TLS insecure renegotiation protocol design flawNessusDebian Local Security Checks
medium
51347Fedora 13 : openssl-1.0.0c-1.fc13 (2010-18736)NessusFedora Local Security Checks
medium
51157RHEL 6 : openssl (RHSA-2010:0979)NessusRed Hat Local Security Checks
medium
51156RHEL 5 : openssl (RHSA-2010:0978)NessusRed Hat Local Security Checks
medium
51155RHEL 4 : openssl (RHSA-2010:0977)NessusRed Hat Local Security Checks
critical
51146CentOS 5 : openssl (CESA-2010:0978)NessusCentOS Local Security Checks
medium
51129Fedora 14 : openssl-1.0.0c-1.fc14 (2010-18765)NessusFedora Local Security Checks
medium
51076Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : openssl vulnerabilities (USN-1029-1)NessusUbuntu Local Security Checks
medium
51070Mandriva Linux Security Advisory : openssl (MDVSA-2010:248)NessusMandriva Local Security Checks
medium
51063Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : openssl (SSA:2010-340-01)NessusSlackware Local Security Checks
high
801055OpenSSL < 0.9.8q / 1.0.0c Multiple VulnerabilitiesLog Correlation EngineWeb Servers
medium
5720OpenSSL < 0.9.8q / 1.0.0c Multiple VulnerabilitiesNessus Network MonitorWeb Servers
medium
51058OpenSSL < 0.9.8q / 1.0.0c Multiple VulnerabilitiesNessusWeb Servers
high