CVE-2013-6450

MEDIUM

Description

The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.

References

http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=34628967f1e65dc8f34e000f0f5518e21afbfc7b

http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html

http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00031.html

http://lists.opensuse.org/opensuse-updates/2014-01/msg00032.html

http://rhn.redhat.com/errata/RHSA-2014-0015.html

http://seclists.org/fulldisclosure/2014/Dec/23

http://security.gentoo.org/glsa/glsa-201412-39.xml

http://www.debian.org/security/2014/dsa-2833

http://www.openssl.org/news/vulnerabilities.html

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

http://www.securityfocus.com/archive/1/534161/100/0/threaded

http://www.securityfocus.com/bid/64618

http://www.securitytracker.com/id/1029549

http://www.securitytracker.com/id/1031594

http://www.ubuntu.com/usn/USN-2079-1

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

http://www-01.ibm.com/support/docview.wss?uid=isg400001841

http://www-01.ibm.com/support/docview.wss?uid=isg400001843

https://puppet.com/security/cve/cve-2013-6450

https://security-tracker.debian.org/tracker/CVE-2013-6450

Details

Source: MITRE

Published: 2014-01-01

Updated: 2018-10-09

Type: CWE-310

Risk Information

CVSS v2.0

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM