Vulnerability Note VU#465542

OpenSSL does not properly handle unknown message types

Overview

OpenSSL does not properly handle unknown message types, allowing an unauthenticated, remote attacker to cause a denial of service. This vulnerability was addressed in OpenSSL 0.9.6d and 0.9.7.

I. Description

OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others.

OpenSSL prior to version 0.9.6d does not properly handle unknown message types. An attacker could cause the application using OpenSSL to enter an infinite loop, resulting in a denial of service.

Further information is available in NISCC/224012/OpenSSL/3.

II. Impact

An unauthenticated, remote attacker could cause a denial of service in an application that uses OpenSSL.

III. Solution

Upgrade or Patch

This vulnerability was addressed in OpenSSL versions 0.9.6d and 0.9.7. Upgrade to OpenSSL version 0.9.6d or 0.9.7 greater. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to OpenSSL libraries.

Systems Affected

Vendor	Status	Date Notified
3Com	Unknown	18-Mar-2004
Alcatel	Unknown	18-Mar-2004
Apache	Unknown	18-Mar-2004
Apache-SSL	Unknown	18-Mar-2004
Apple Computer Inc.	Not Vulnerable	6-May-2005
AT&T	Unknown	18-Mar-2004
Avaya	Unknown	18-Mar-2004
Borderware	Unknown	18-Mar-2004
Certicom	Unknown	18-Mar-2004
Check Point	Unknown	18-Mar-2004
Cisco Systems Inc.	Vulnerable	18-Mar-2004
Clavister	Unknown	18-Mar-2004
Computer Associates	Unknown	18-Mar-2004
Conectiva	Unknown	18-Mar-2004
Covalent	Unknown	18-Mar-2004
Cray Inc.	Unknown	18-Mar-2004
D-Link Systems	Unknown	18-Mar-2004
Dan Bernstein	Unknown	18-Mar-2004
Debian	Vulnerable	18-Mar-2004
EMC Corporation	Unknown	18-Mar-2004
eSoft	Unknown	18-Mar-2004
Extreme Networks	Unknown	18-Mar-2004
F-Secure	Unknown	18-Mar-2004
F5 Networks	Unknown	18-Mar-2004
Foundry Networks Inc.	Unknown	18-Mar-2004
FreeBSD	Unknown	18-Mar-2004
FreeS/WAN	Unknown	18-Mar-2004
Fujitsu	Unknown	18-Mar-2004
Gentoo Linux	Vulnerable	18-Mar-2004
Global Technology Associates	Unknown	18-Mar-2004
Guardian Digital Inc.	Vulnerable	18-Mar-2004
Hewlett-Packard Company	Unknown	18-Mar-2004
Hitachi	Unknown	18-Mar-2004
IBM	Unknown	18-Mar-2004
Ingrian Networks	Unknown	18-Mar-2004
Intel	Unknown	18-Mar-2004
Internet Initiative Japan (IIJ)	Unknown	18-Mar-2004
Intoto	Unknown	18-Mar-2004
IP Filter	Unknown	18-Mar-2004
Juniper Networks	Unknown	18-Mar-2004
KAME Project	Unknown	18-Mar-2004
Linksys	Unknown	18-Mar-2004
Lotus Software	Unknown	18-Mar-2004
Lucent Technologies	Unknown	18-Mar-2004
Lucent Technologies	Unknown	18-Mar-2004
MandrakeSoft	Unknown	18-Mar-2004
Microsoft Corporation	Unknown	18-Mar-2004
MontaVista Software	Unknown	18-Mar-2004
Multi-Tech Systems Inc.	Unknown	18-Mar-2004
National Center for Supercomputing Applications (NCSA)	Unknown	18-Mar-2004
National Institute of Standards and Technology (NIST)	Unknown	18-Mar-2004
NEC Corporation	Unknown	18-Mar-2004
NetBSD	Unknown	18-Mar-2004
Netfilter	Unknown	18-Mar-2004
NetScreen	Vulnerable	18-Mar-2004
Network Appliance	Unknown	18-Mar-2004
Network Associates	Unknown	18-Mar-2004
Nokia	Unknown	18-Mar-2004
Nortel Networks	Unknown	18-Mar-2004
Novell	Unknown	18-Mar-2004
OpenBSD	Unknown	18-Mar-2004
OpenSSL	Vulnerable	17-Mar-2004
Openwall GNU/*/Linux	Unknown	18-Mar-2004
Red Hat Inc.	Vulnerable	18-Mar-2004
Redback Networks Inc.	Unknown	18-Mar-2004
Riverstone Networks	Unknown	18-Mar-2004
SafeNet	Unknown	18-Mar-2004
SCO	Unknown	18-Mar-2004
Secure Computing Corporation	Unknown	18-Mar-2004
SecureWorx	Unknown	18-Mar-2004
SGI	Unknown	18-Mar-2004
Sony Corporation	Unknown	18-Mar-2004
SSH Communications Security	Unknown	18-Mar-2004
Stonesoft	Unknown	18-Mar-2004
Sun Microsystems Inc.	Unknown	18-Mar-2004
SuSE Inc.	Unknown	18-Mar-2004
Symantec Corporation	Unknown	18-Mar-2004
TurboLinux	Unknown	18-Mar-2004
Unisys	Unknown	18-Mar-2004
WatchGuard	Unknown	18-Mar-2004
Wind River Systems Inc.	Unknown	18-Mar-2004
Wirex	Unknown	18-Mar-2004
ZyXEL	Unknown	18-Mar-2004

References

http://www.us-cert.gov/cas/techalerts/TA04-078A.html
http://www.openssl.org
http://www.uniras.gov.uk/vuls/2004/224012/index.htm
http://cvs.openssl.org/chngview?cn=5721
http://cvs.openssl.org/chngview?cn=5722
http://cvs.openssl.org/getfile?v=1.618.2.137&f=openssl/CHANGES
http://cvs.openssl.org/getfile?v=1.954&f=openssl/CHANGES

Credit

This vulnerability was reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC).

This document was written by Damon Morda and Art Manion.

Other Information

Date Public:	2004-03-17
Date First Published:	2004-03-17
Date Last Updated:	2005-05-06
CERT Advisory:
CVE-ID(s):	CAN-2004-0081
NVD-ID(s):	CAN-2004-0081
US-CERT Technical Alerts:
Metric:	5.16
Document Revision:	27

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader