Vulnerability Note VU#465542

OpenSSL does not properly handle unknown message types

Original Release date: 17 Mar 2004 | Last revised: 06 May 2005

Overview

OpenSSL does not properly handle unknown message types, allowing an unauthenticated, remote attacker to cause a denial of service. This vulnerability was addressed in OpenSSL 0.9.6d and 0.9.7.

Description

OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others.

OpenSSL prior to version 0.9.6d does not properly handle unknown message types. An attacker could cause the application using OpenSSL to enter an infinite loop, resulting in a denial of service.

Further information is available in NISCC/224012/OpenSSL/3.

Impact

An unauthenticated, remote attacker could cause a denial of service in an application that uses OpenSSL.

Solution

Upgrade or Patch
This vulnerability was addressed in OpenSSL versions 0.9.6d and 0.9.7. Upgrade to OpenSSL version 0.9.6d or 0.9.7 greater. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to OpenSSL libraries.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Cisco Systems Inc.Affected17 Mar 200418 Mar 2004
DebianAffected17 Mar 200418 Mar 2004
Gentoo LinuxAffected-18 Mar 2004
Guardian Digital Inc. Affected17 Mar 200418 Mar 2004
NetScreenAffected17 Mar 200418 Mar 2004
OpenSSLAffected-17 Mar 2004
Red Hat Inc.Affected17 Mar 200418 Mar 2004
Apple Computer Inc.Not Affected17 Mar 200406 May 2005
3ComUnknown-18 Mar 2004
AlcatelUnknown-18 Mar 2004
ApacheUnknown-18 Mar 2004
Apache-SSLUnknown-18 Mar 2004
AT&TUnknown-18 Mar 2004
AvayaUnknown-18 Mar 2004
BorderwareUnknown-18 Mar 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC).

This document was written by Damon Morda and Art Manion.

Other Information

  • CVE IDs: CAN-2004-0081
  • Date Public: 17 Mar 2004
  • Date First Published: 17 Mar 2004
  • Date Last Updated: 06 May 2005
  • Severity Metric: 5.16
  • Document Revision: 27

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.