CVE-2010-4180

medium

Description

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

References

http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.html

http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html

http://marc.info/?l=bugtraq&m=129916880600544&w=2

http://marc.info/?l=bugtraq&m=130497251507577&w=2

http://marc.info/?l=bugtraq&m=132077688910227&w=2

http://openssl.org/news/secadv_20101202.txt

https://bugzilla.redhat.com/show_bug.cgi?id=659462

http://secunia.com/advisories/42469

http://secunia.com/advisories/42473

http://secunia.com/advisories/42493

http://secunia.com/advisories/42571

http://secunia.com/advisories/42620

http://secunia.com/advisories/42811

http://secunia.com/advisories/42877

http://secunia.com/advisories/43169

http://secunia.com/advisories/43170

http://secunia.com/advisories/43171

http://secunia.com/advisories/43172

http://secunia.com/advisories/43173

http://secunia.com/advisories/44269

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18910

http://support.apple.com/kb/HT4723

http://ubuntu.com/usn/usn-1029-1

http://www.debian.org/security/2011/dsa-2141

http://www.kb.cert.org/vuls/id/737740

http://www.mandriva.com/security/advisories?name=MDVSA-2010:248

http://www.redhat.com/support/errata/RHSA-2010-0977.html

http://www.redhat.com/support/errata/RHSA-2010-0978.html

http://www.redhat.com/support/errata/RHSA-2010-0979.html

http://www.redhat.com/support/errata/RHSA-2011-0896.html

http://www.vupen.com/english/advisories/2010/3120

http://www.vupen.com/english/advisories/2010/3122

http://www.vupen.com/english/advisories/2010/3134

http://www.vupen.com/english/advisories/2010/3188

http://www.vupen.com/english/advisories/2011/0032

http://www.vupen.com/english/advisories/2011/0076

http://www.vupen.com/english/advisories/2011/0268

Details

Source: Mitre, NVD

Published: 2010-12-06

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Severity: Medium