Vulnerability Note VU#484726

OpenSSL does not adequately validate length of Kerberos ticket during SSL/TLS handshake

Original Release date: 17 Mar 2004 | Last revised: 26 Mar 2004

Overview

OpenSSL contains a vulnerability in code that processes SSL/TLS handshakes when configured to use the Kerberos cipher suites. This vulnerability could allow a remote attacker to cause OpenSSL to crash.

Description

OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others.

According to RFC2712, TLS allows clients and servers to negotiate cipher suites to meet specific security and administrative policies. In order to provide Kerberos-based authentication, TLS supports the Kerberos cipher suites.

Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL contain a vulnerability in code that processes SSL/TLS handshakes using Kerberos cipher suites. This vulnerability can be exploited by a remote attacker using a specially crafted SSL/TLS handshake to a server configured to use the Kerberos cipher suites. When the server attempts to process this request, OpenSSL could crash. OpenSSL 0.9.6 is not affected.

Further information is available in an advisory from OpenSSL and NISCC/224012/OpenSSL/2.

Impact

A remote, unauthenticated attacker could cause a denial of service in an application that uses OpenSSL with Kerberos cipher suites.

Solution

Upgrade or Patch
Upgrade to OpenSSL 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to OpenSSL libraries.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Apple Computer Inc.Affected17 Mar 200406 May 2005
OpenSSLAffected-16 Mar 2004
3ComUnknown-18 Mar 2004
AlcatelUnknown-18 Mar 2004
ApacheUnknown-18 Mar 2004
At&TUnknown-18 Mar 2004
AvayaUnknown-18 Mar 2004
BorderwareUnknown-18 Mar 2004
BSDIUnknown-18 Mar 2004
CerticomUnknown-18 Mar 2004
Check PointUnknown-18 Mar 2004
Cisco Systems Inc.Unknown-18 Mar 2004
ClavisterUnknown-18 Mar 2004
Computer AssociatesUnknown-18 Mar 2004
ConectivaUnknown-18 Mar 2004
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by the OpenSSL Project and reported by the National Infrastructure Security Co-ordination Centre (NISCC).

This document was written by Damon Morda.

Other Information

  • CVE IDs: CAN-2004-0112
  • Date Public: 17 Mar 2004
  • Date First Published: 17 Mar 2004
  • Date Last Updated: 26 Mar 2004
  • Severity Metric: 10.32
  • Document Revision: 28

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.