FreeBSD : OpenSSL -- multiple vulnerabilities (8aff07eb-1dbd-11e4-b6ba-3c970e169bc2)

This script is Copyright (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

The OpenSSL Project reports :

A flaw in OBJ_obj2txt may cause pretty printing functions such as
X509_name_oneline, X509_name_print_ex et al. to leak some information
from the stack. [CVE-2014-3508]

The issue affects OpenSSL clients and allows a malicious server to
crash the client with a NULL pointer dereference (read) by specifying
an SRP ciphersuite even though it was not properly negotiated with the
client. [CVE-2014-5139]

If a multithreaded client connects to a malicious server using a
resumed session and the server sends an ec point format extension it
could write up to 255 bytes to freed memory. [CVE-2014-3509]

An attacker can force an error condition which causes openssl to crash
whilst processing DTLS packets due to memory being freed twice. This
can be exploited through a Denial of Service attack. [CVE-2014-3505]

An attacker can force openssl to consume large amounts of memory
whilst processing DTLS handshake messages. This can be exploited
through a Denial of Service attack. [CVE-2014-3506]

By sending carefully crafted DTLS packets an attacker could cause
openssl to leak memory. This can be exploited through a Denial of
Service attack. [CVE-2014-3507]

OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are
subject to a denial of service attack. A malicious server can crash
the client with a NULL pointer dereference (read) by specifying an
anonymous (EC)DH ciphersuite and sending carefully crafted handshake
messages. [CVE-2014-3510]

A flaw in the OpenSSL SSL/TLS server code causes the server to
negotiate TLS 1.0 instead of higher protocol versions when the
ClientHello message is badly fragmented. This allows a
man-in-the-middle attacker to force a downgrade to TLS 1.0 even if
both the server and the client support a higher protocol version, by
modifying the client's TLS records. [CVE-2014-3511]

A malicious client or server can send invalid SRP parameters and
overrun an internal buffer. Only applications which are explicitly set
up for SRP use are affected. [CVE-2014-3512]

See also :

https://www.openssl.org/news/secadv/20140806.txt
http://www.nessus.org/u?816f8443

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now