OpenSSL contains a vulnerability in code that processes SSL/TLS handshakes when configured to use the Kerberos cipher suites. This vulnerability could allow a remote attacker to cause OpenSSL to crash.
OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others.
According to RFC2712, TLS allows clients and servers to negotiate cipher suites to meet specific security and administrative policies. In order to provide Kerberos-based authentication, TLS supports the Kerberos cipher suites.
A remote, unauthenticated attacker could cause a denial of service in an application that uses OpenSSL with Kerberos cipher suites.
Upgrade or Patch
This vulnerability was discovered by the OpenSSL Project and reported by the National Infrastructure Security Co-ordination Centre (NISCC).
This document was written by Damon Morda.
|Date First Published:||2004-03-17|
|Date Last Updated:||2004-03-26 21:59 UTC|