Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

OpenSSL < 1.0.1k / < 1.0.0p / < 0.9.8zd Multiple Vulnerabilities

Medium

Synopsis

The remote web server is running an outdated instance of OpenSSL and thus may be missing patches for multiple vulnerabilities.

Description

OpenSSL before 0.9.8zd, 1.0.0p, or 1.0.1k are unpatched for the following vulnerabilities:

- A DTLS segmentation fault due to a null pointer dereference, which can lead to a denial of service attack (CVE-2014-3571)

- A memory leak when handling repeated DTLS records with the same sequence number but the next epoch, which can result in denial of service (CVE-2015-0206)

- A null pointer dereference when handling SSL v3 ClientHelloes can result in denial of service when openssl is built with the no-ssl3 option (CVE-2014-3569)

- ECDHE silently downgrades to ECDH ciphersuite when the server key exchange message is omitted; this removes forward secrecy from the ciphersuite (CVE-2014-3572)

- A server could present a weak temporary RSA key to silently downgrade the session's security from a non-export RSA key exchange ciphersuite (CVE-2015-0204)

- For openssl servers that trust client certificate authorities that issue certificates containing DH keys, a bug exists wherein client certificates are accepted without verification (CVE-2015-0205)

- OpenSSL does not enforce a match between the signed and unsigned portions of the certificate for several non-DER variants of certificate signature algorithms and signature encodings; while this does not affect OpenSSL servers and clients, custom applications relying on the uniqueness of the fingerprint may be affected (CVE-2014-8275)

- Bignum squaring may produce incorrect results at random on some platforms, including x86_64, although the impact of this is unknown, and its occurrence is rare (CVE-2014-3570)

Solution

OpenSSL versions 0.9.8zd, 1.0.0p, and 1.0.1k are patched against these vulnerabilities. Apply the vendors patch, or update to these versions or later.