Tenable SecurityCenter Multiple DoS (TNS-2014-11)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote application is affected by multiple denial of service
vulnerabilities.

Description :

The SecurityCenter application installed on the remote host is
affected by multiple denial of service vulnerabilities in the bundled
OpenSSL library. The library is version 1.0.1 prior to 1.0.1j. It is,
therefore, affected by the following vulnerabilities :

- A memory leak exists in the DTLS SRTP extension parsing
code. A remote attacker can exploit this issue, using a
specially crafted handshake message, to cause excessive
memory consumption, resulting in a denial of service
condition. (CVE-2014-3513)

- A memory leak exists in the SSL, TLS, and DTLS servers
related to session ticket handling. A remote attacker
can exploit this, using a large number of invalid
session tickets, to cause a denial of service condition.
(CVE-2014-3567)

See also :

http://www.tenable.com/security/tns-2014-11
https://www.openssl.org/news/openssl-1.0.1-notes.html
https://www.openssl.org/news/secadv/20141015.txt
https://www.openssl.org/news/vulnerabilities.html

Solution :

Apply the relevant patch referenced in the vendor advisory.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.8
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 80303 ()

Bugtraq ID: 70584
70586

CVE ID: CVE-2014-3513
CVE-2014-3567

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now