|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#386964
OpenSSL SSLv2 client code fails to properly check for NULL
OverviewA flaw in the OpenSSL library could allow a remote attacker to cause a denial of service on an affected application.
I. DescriptionThe OpenSSL toolkit implements the Secure Sockets Layer (SSL versions 2 and 3) and Transport Layer Security (TLS version 1) protocols as well as a general purpose cryptographic library. A missing check for NULL exists in the SSLv2 client get_server_hello() function. As a result, an affected client application using OpenSSL to create an SSLv2 connection to a malicious server could be caused to crash.II. ImpactA remote attacker could cause an affected client application to crash, creating a denial of service.III. SolutionUpgrade or apply a patch from the vendor
Patches have been released to address this issue. Please see the Systems Affected section of this document for more information.
Users or redistributors who compile OpenSSL from the original source code distribution are encouraged to review OpenSSL Security Advisory [28th September 2006] and upgrade to the appropriate fixed version of the software.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| 3com, Inc. | Unknown | 15-Sep-2006 |
| Aladdin Knowledge Systems | Unknown | 15-Sep-2006 |
| Alcatel | Unknown | 15-Sep-2006 |
| America Online, Inc. | Unknown | 15-Sep-2006 |
| Apache-SSL | Unknown | 15-Sep-2006 |
| Apache HTTP Server Project | Unknown | 15-Sep-2006 |
| Apple Computer, Inc. | Unknown | 15-Sep-2006 |
| Aruba Networks, Inc. | Unknown | 15-Sep-2006 |
| AttachmateWRQ, Inc. | Unknown | 15-Sep-2006 |
| AT&T | Unknown | 15-Sep-2006 |
| Avaya, Inc. | Unknown | 15-Sep-2006 |
| Avici Systems, Inc. | Unknown | 15-Sep-2006 |
| Borderware Technologies | Unknown | 15-Sep-2006 |
| Certicom | Unknown | 15-Sep-2006 |
| Charlotte's Web Networks | Unknown | 15-Sep-2006 |
| Check Point Software Technologies | Unknown | 15-Sep-2006 |
| Chiaro Networks, Inc. | Unknown | 15-Sep-2006 |
| Cisco Systems, Inc. | Unknown | 15-Sep-2006 |
| Clavister | Unknown | 15-Sep-2006 |
| Command Software Systems | Unknown | 15-Sep-2006 |
| Computer Associates | Unknown | 15-Sep-2006 |
| Conectiva Inc. | Unknown | 15-Sep-2006 |
| Covalent Technologies | Unknown | 15-Sep-2006 |
| Cray Inc. | Unknown | 15-Sep-2006 |
| Cryptlib | Unknown | 15-Sep-2006 |
| Crypto++ Library | Unknown | 15-Sep-2006 |
| CyberSoft, Inc. | Unknown | 15-Sep-2006 |
| D-Link Systems, Inc. | Unknown | 15-Sep-2006 |
| Data Connection, Ltd. | Unknown | 15-Sep-2006 |
| DataFellows | Unknown | 15-Sep-2006 |
| Debian GNU/Linux | Vulnerable | 2-Oct-2006 |
| EMC, Inc. (formerly Data General Corporation) | Unknown | 15-Sep-2006 |
| Engarde Secure Linux | Unknown | 15-Sep-2006 |
| Ericsson | Unknown | 15-Sep-2006 |
| eSoft, Inc. | Unknown | 15-Sep-2006 |
| Extreme Networks | Unknown | 15-Sep-2006 |
| F-PROT by FRISK Software International | Unknown | 15-Sep-2006 |
| F-Secure Corporation | Unknown | 15-Sep-2006 |
| F5 Networks, Inc. | Vulnerable | 21-Sep-2006 |
| Fedora Project | Unknown | 15-Sep-2006 |
| Finjan Software | Unknown | 15-Sep-2006 |
| Force10 Networks, Inc. | Unknown | 15-Sep-2006 |
| Fortinet, Inc. | Unknown | 15-Sep-2006 |
| Foundry Networks, Inc. | Unknown | 15-Sep-2006 |
| FreeBSD, Inc. | Vulnerable | 28-Sep-2006 |
| Fujitsu | Not Vulnerable | 29-Sep-2006 |
| Gentoo Linux | Unknown | 15-Sep-2006 |
| GFI Software, Inc. | Unknown | 15-Sep-2006 |
| Global Technology Associates | Not Vulnerable | 18-Sep-2006 |
| Hewlett-Packard Company | Unknown | 15-Sep-2006 |
| Hitachi | Unknown | 15-Sep-2006 |
| Hyperchip | Unknown | 15-Sep-2006 |
| IAIK Java Group | Unknown | 15-Sep-2006 |
| IBM Corporation | Unknown | 15-Sep-2006 |
| IBM Corporation (zseries) | Unknown | 15-Sep-2006 |
| IBM eServer | Unknown | 15-Sep-2006 |
| Immunix Communications, Inc. | Unknown | 15-Sep-2006 |
| Ingrian Networks, Inc. | Unknown | 15-Sep-2006 |
| Intel Corporation | Unknown | 15-Sep-2006 |
| Internet Security Systems, Inc. | Unknown | 15-Sep-2006 |
| Intoto | Unknown | 15-Sep-2006 |
| IP Filter | Unknown | 15-Sep-2006 |
| Juniper Networks, Inc. | Unknown | 15-Sep-2006 |
| Linksys (A division of Cisco Systems) | Unknown | 15-Sep-2006 |
| Lotus Software | Unknown | 15-Sep-2006 |
| lsh | Unknown | 15-Sep-2006 |
| Lucent Technologies | Unknown | 15-Sep-2006 |
| Luminous Networks | Unknown | 15-Sep-2006 |
| Mandriva, Inc. | Unknown | 15-Sep-2006 |
| MessageLabs | Unknown | 15-Sep-2006 |
| Microsoft Corporation | Unknown | 15-Sep-2006 |
| Microsoft Internet Explorer | Unknown | 15-Sep-2006 |
| Mirapoint, Inc. | Unknown | 15-Sep-2006 |
| mod_ssl | Unknown | 15-Sep-2006 |
| MontaVista Software, Inc. | Unknown | 15-Sep-2006 |
| Mozilla - Network Security Services | Unknown | 15-Sep-2006 |
| Mozilla, Inc. | Unknown | 15-Sep-2006 |
| Multinet (owned Process Software Corporation) | Unknown | 15-Sep-2006 |
| Multitech, Inc. | Unknown | 15-Sep-2006 |
| MySQL AB | Unknown | 15-Sep-2006 |
| NEC Corporation | Unknown | 15-Sep-2006 |
| NetBSD | Unknown | 15-Sep-2006 |
| netfilter | Unknown | 15-Sep-2006 |
| Netscape NSS | Unknown | 15-Sep-2006 |
| Network Appliance, Inc. | Unknown | 15-Sep-2006 |
| NextHop Technologies, Inc. | Unknown | 15-Sep-2006 |
| Nokia | Unknown | 15-Sep-2006 |
| Nortel Networks, Inc. | Unknown | 15-Sep-2006 |
| Novell, Inc. | Unknown | 15-Sep-2006 |
| OpenBSD | Unknown | 15-Sep-2006 |
| OpenPKG | Vulnerable | 2-Oct-2006 |
| OpenSSL | Vulnerable | 28-Sep-2006 |
| Openwall GNU/*/Linux | Unknown | 15-Sep-2006 |
| Oracle Corporation | Vulnerable | 17-Jan-2007 |
| Proland Software, Inc. | Unknown | 15-Sep-2006 |
| QNX, Software Systems, Inc. | Unknown | 15-Sep-2006 |
| Red Hat, Inc. | Vulnerable | 2-Oct-2006 |
| Redback Networks, Inc. | Unknown | 15-Sep-2006 |
| Riverstone Networks, Inc. | Unknown | 15-Sep-2006 |
| rPath | Vulnerable | 2-Oct-2006 |
| RSA Security, Inc. | Unknown | 15-Sep-2006 |
| Secure Computing Network Security Division | Unknown | 15-Sep-2006 |
| Secureworx, Inc. | Unknown | 15-Sep-2006 |
| Sendmail Consortium | Unknown | 15-Sep-2006 |
| Sendmail, Inc. | Unknown | 22-Sep-2006 |
| Silicon Graphics, Inc. | Unknown | 15-Sep-2006 |
| Slackware Linux Inc. | Vulnerable | 2-Oct-2006 |
| Sony Corporation | Unknown | 15-Sep-2006 |
| Sophos, Inc. | Unknown | 15-Sep-2006 |
| Spyrus | Unknown | 15-Sep-2006 |
| Stonesoft | Unknown | 15-Sep-2006 |
| Stunnel | Unknown | 15-Sep-2006 |
| Sun Microsystems, Inc. | Unknown | 15-Sep-2006 |
| SUSE Linux | Vulnerable | 2-Oct-2006 |
| Symantec, Inc. | Unknown | 15-Sep-2006 |
| The SCO Group | Unknown | 15-Sep-2006 |
| Trendmicro | Unknown | 15-Sep-2006 |
| Trustix Secure Linux | Vulnerable | 2-Oct-2006 |
| Turbolinux | Unknown | 15-Sep-2006 |
| Ubuntu | Vulnerable | 28-Sep-2006 |
| Unisys | Unknown | 15-Sep-2006 |
| Watchguard Technologies, Inc. | Unknown | 15-Sep-2006 |
| Wietse Venema | Unknown | 15-Sep-2006 |
| Wind River Systems, Inc. | Unknown | 15-Sep-2006 |
| ZyXEL | Unknown | 15-Sep-2006 |
References
http://www.openssl.org/news/secadv_20060928.txt
http://jvn.jp/cert/JVNVU%23386964/index.html
http://secunia.com/advisories/23280/
http://secunia.com/advisories/23309/
http://www.securityfocus.com/bid/20246
http://www.securityfocus.com/bid/22083
Credit
Thanks to Tavis Ormandy and Will Drewry of the Google Security Team for reporting this vulnerability.
This document was written by Chad R Dougherty.
Other Information
| Date Public: | 2006-09-28 |
| Date First Published: | 2006-09-28 |
| Date Last Updated: | 2007-02-08 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2006-4343 |
| NVD-ID(s): | CVE-2006-4343 |
| US-CERT Technical Alerts: | |
| Metric: | 0.32 |
| Document Revision: | 29 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader