Vulnerability Note VU#465542
OpenSSL does not properly handle unknown message types
Overview
OpenSSL does not properly handle unknown message types, allowing an unauthenticated, remote attacker to cause a denial of service. This vulnerability was addressed in OpenSSL 0.9.6d and 0.9.7.
Description
OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others. OpenSSL prior to version 0.9.6d does not properly handle unknown message types. An attacker could cause the application using OpenSSL to enter an infinite loop, resulting in a denial of service. |
Impact
An unauthenticated, remote attacker could cause a denial of service in an application that uses OpenSSL. |
Solution
Upgrade or Patch |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Cisco Systems Inc. | Affected | 17 Mar 2004 | 18 Mar 2004 |
| Debian | Affected | 17 Mar 2004 | 18 Mar 2004 |
| Gentoo Linux | Affected | - | 18 Mar 2004 |
| Guardian Digital Inc. | Affected | 17 Mar 2004 | 18 Mar 2004 |
| NetScreen | Affected | 17 Mar 2004 | 18 Mar 2004 |
| OpenSSL | Affected | - | 17 Mar 2004 |
| Red Hat Inc. | Affected | 17 Mar 2004 | 18 Mar 2004 |
| Apple Computer Inc. | Not Affected | 17 Mar 2004 | 06 May 2005 |
| 3Com | Unknown | - | 18 Mar 2004 |
| Alcatel | Unknown | - | 18 Mar 2004 |
| Apache | Unknown | - | 18 Mar 2004 |
| Apache-SSL | Unknown | - | 18 Mar 2004 |
| AT&T | Unknown | - | 18 Mar 2004 |
| Avaya | Unknown | - | 18 Mar 2004 |
| Borderware | Unknown | - | 18 Mar 2004 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.us-cert.gov/cas/techalerts/TA04-078A.html
- http://www.openssl.org
- http://www.uniras.gov.uk/vuls/2004/224012/index.htm
- http://cvs.openssl.org/chngview?cn=5721
- http://cvs.openssl.org/chngview?cn=5722
- http://cvs.openssl.org/getfile?v=1.618.2.137&f=openssl/CHANGES
- http://cvs.openssl.org/getfile?v=1.954&f=openssl/CHANGES
Credit
This vulnerability was reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC).
This document was written by Damon Morda and Art Manion.
Other Information
- CVE IDs: CAN-2004-0081
- Date Public: 17 Mar 2004
- Date First Published: 17 Mar 2004
- Date Last Updated: 06 May 2005
- Severity Metric: 5.16
- Document Revision: 27
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.