Vulnerabilities > CVE-2009-1387 - NULL Pointer Dereference vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 | |
Application | 3 | |
OS | 4 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20090902_OPENSSL_ON_SL5_X.NASL description CVE-2009-0590 openssl: ASN1 printing crash CVE-2009-1377 OpenSSL: DTLS epoch record buffer memory DoS CVE-2009-1378 OpenSSL: DTLS fragment handling memory DoS CVE-2009-1379 OpenSSL: DTLS pointer use-after-free flaw (DoS) CVE-2009-1386 openssl: DTLS NULL deref crash on early ChangeCipherSpec request CVE-2009-1387 openssl: DTLS out-of-sequence message handling NULL deref DoS Multiple denial of service flaws were discovered in OpenSSL last seen 2020-06-01 modified 2020-06-02 plugin id 60658 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60658 title Scientific Linux Security Update : openssl on SL5.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60658); script_version("1.11"); script_cvs_date("Date: 2019/10/25 13:36:18"); script_cve_id("CVE-2009-0590", "CVE-2009-1377", "CVE-2009-1378", "CVE-2009-1379", "CVE-2009-1386", "CVE-2009-1387"); script_name(english:"Scientific Linux Security Update : openssl on SL5.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "CVE-2009-0590 openssl: ASN1 printing crash CVE-2009-1377 OpenSSL: DTLS epoch record buffer memory DoS CVE-2009-1378 OpenSSL: DTLS fragment handling memory DoS CVE-2009-1379 OpenSSL: DTLS pointer use-after-free flaw (DoS) CVE-2009-1386 openssl: DTLS NULL deref crash on early ChangeCipherSpec request CVE-2009-1387 openssl: DTLS out-of-sequence message handling NULL deref DoS Multiple denial of service flaws were discovered in OpenSSL's DTLS implementation. A remote attacker could use these flaws to cause a DTLS server to use excessive amounts of memory, or crash on an invalid memory access or NULL pointer dereference. (CVE-2009-1377, CVE-2009-1378, CVE-2009-1379, CVE-2009-1386, CVE-2009-1387) Note: These flaws only affect applications that use DTLS. Scientific Linux does not ship any DTLS client or server applications. An input validation flaw was found in the handling of the BMPString and UniversalString ASN1 string types in OpenSSL's ASN1_STRING_print_ex() function. An attacker could use this flaw to create a specially crafted X.509 certificate that could cause applications using the affected function to crash when printing certificate contents. (CVE-2009-0590) Note: The affected function is rarely used. No application shipped with Scientific Linux calls this function, for example. These updated packages also fix the following bugs : - 'openssl smime -verify -in' verifies the signature of the input file and the '-verify' switch expects a signed or encrypted input file. Previously, running openssl on an S/MIME file that was not encrypted or signed caused openssl to segfault. With this update, the input file is now checked for a signature or encryption. Consequently, openssl now returns an error and quits when attempting to verify an unencrypted or unsigned S/MIME file. (BZ#472440) - when generating RSA keys, pairwise tests were called even in non-FIPS mode. This prevented small keys from being generated. With this update, generating keys in non-FIPS mode no longer calls the pairwise tests and keys as small as 32-bits can be generated in this mode. Note: In FIPS mode, pairwise tests are still called and keys generated in this mode must still be 1024-bits or larger. (BZ#479817) As well, these updated packages add the following enhancements : - both the libcrypto and libssl shared libraries, which are part of the OpenSSL FIPS module, are now checked for integrity on initialization of FIPS mode. (BZ#475798) - an issuing Certificate Authority (CA) allows multiple certificate templates to inherit the CA's Common Name (CN). Because this CN is used as a unique identifier, each template had to have its own Certificate Revocation List (CRL). With this update, multiple CRLs with the same subject name can now be stored in a X509_STORE structure, with their signature field being used to distinguish between them. (BZ#457134) - the fipscheck library is no longer needed for rebuilding the openssl source RPM. (BZ#475798)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=457134" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=472440" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=475798" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=479817" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0909&L=scientific-linux-errata&T=0&P=1445 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?df0d6dcf" ); script_set_attribute( attribute:"solution", value: "Update the affected openssl, openssl-devel and / or openssl-perl packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(119, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/03/27"); script_set_attribute(attribute:"patch_publication_date", value:"2009/09/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL5", reference:"openssl-0.9.8e-12.el5")) flag++; if (rpm_check(release:"SL5", reference:"openssl-devel-0.9.8e-12.el5")) flag++; if (rpm_check(release:"SL5", reference:"openssl-perl-0.9.8e-12.el5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-792-1.NASL description It was discovered that OpenSSL did not limit the number of DTLS records it would buffer when they arrived with a future epoch. A remote attacker could cause a denial of service via memory resource consumption by sending a large number of crafted requests. (CVE-2009-1377) It was discovered that OpenSSL did not properly free memory when processing DTLS fragments. A remote attacker could cause a denial of service via memory resource consumption by sending a large number of crafted requests. (CVE-2009-1378) It was discovered that OpenSSL did not properly handle certain server certificates when processing DTLS packets. A remote DTLS server could cause a denial of service by sending a message containing a specially crafted server certificate. (CVE-2009-1379) It was discovered that OpenSSL did not properly handle a DTLS ChangeCipherSpec packet when it occured before ClientHello. A remote attacker could cause a denial of service by sending a specially crafted request. (CVE-2009-1386) It was discovered that OpenSSL did not properly handle out of sequence DTLS handshake messages. A remote attacker could cause a denial of service by sending a specially crafted request. (CVE-2009-1387). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 39534 published 2009-06-26 reporter Ubuntu Security Notice (C) 2009-2019 Canonical, Inc. / NASL script (C) 2009-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/39534 title Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : openssl vulnerabilities (USN-792-1) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0004.NASL description a. vMA and Service Console update for newt to 0.52.2-12.el5_4.1 Newt is a programming library for color text mode, widget based user interfaces. Newt can be used to add stacked windows, entry widgets, checkboxes, radio buttons, labels, plain text fields, scrollbars, etc., to text mode user interfaces. A heap-based buffer overflow flaw was found in the way newt processes content that is to be displayed in a text dialog box. A local attacker could issue a specially crafted text dialog box display request (direct or via a custom application), leading to a denial of service (application crash) or, potentially, arbitrary code execution with the privileges of the user running the application using the newt library. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-2905 to this issue. b. vMA and Service Console update for vMA package nfs-utils to 1.0.9-42.el5 The nfs-utils package provides a daemon for the kernel NFS server and related tools. It was discovered that nfs-utils did not use tcp_wrappers correctly. Certain hosts access rules defined in last seen 2020-06-01 modified 2020-06-02 plugin id 44993 published 2010-03-05 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/44993 title VMSA-2010-0004 : ESX Service Console and vMA third-party updates NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0020_OPENSSL098E.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssl098e packages installed that are affected by multiple vulnerabilities: - OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d allows remote attackers to cause a denial of service (infinite loop and memory consumption) via malformed ASN.1 structures that trigger an improperly handled error condition. (CVE-2006-2937) - OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows attackers to cause a denial of service (CPU consumption) via parasitic public keys with large (1) public exponent or (2) public modulus values in X.509 certificates that require extra time to process when using RSA signature verification. (CVE-2006-2940) - Buffer overflow in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions has unspecified impact and remote attack vectors involving a long list of ciphers. (CVE-2006-3738) - OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8 before 0.9.8c, when using an RSA key with exponent 3, removes PKCS-1 padding before generating a hash, which allows remote attackers to forge a PKCS #1 v1.5 signature that is signed by that RSA key and prevents OpenSSL from correctly verifying X.509 and other certificates that use PKCS #1. (CVE-2006-4339) - The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference. (CVE-2006-4343) - The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys. (CVE-2007-3108) - Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors. (CVE-2007-4995) - Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible. (CVE-2007-5135) - OpenSSL 0.9.8i and earlier does not properly check the return value from the EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature for DSA and ECDSA keys. (CVE-2008-5077) - The ASN1_STRING_print_ex function in OpenSSL before 0.9.8k allows remote attackers to cause a denial of service (invalid memory access and application crash) via vectors that trigger printing of a (1) BMPString or (2) UniversalString with an invalid encoded length. (CVE-2009-0590) - The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of future epoch DTLS records that are buffered in a queue, aka DTLS record buffer limitation bug. (CVE-2009-1377) - Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka DTLS fragment handling memory leak. (CVE-2009-1378) - Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate. (CVE-2009-1379) - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello. (CVE-2009-1386) - The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of- sequence DTLS handshake message, related to a fragment bug. (CVE-2009-1387) - The Network Security Services (NSS) library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large. (CVE-2009-2409) - OpenSSL before 0.9.8m does not check for a NULL return value from bn_wexpand function calls in (1) crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3) crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which has unspecified impact and context-dependent attack vectors. (CVE-2009-3245) - The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post- renegotiation context, related to a plaintext injection attack, aka the Project Mogul issue. (CVE-2009-3555) - Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678. (CVE-2009-4355) - The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot. (CVE-2010-0433) - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key. (CVE-2012-2110) - The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the- middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a CRIME attack. (CVE-2012-4929) - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. (CVE-2013-0166) - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side- channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky Thirteen issue. (CVE-2013-0169) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 127177 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127177 title NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl098e Multiple Vulnerabilities (NS-SA-2019-0020) NASL family Web Servers NASL id HPSMH_6_0_0_95.NASL description According to its self-reported version number, the HP System Management Homepage install on the remote host is earlier than 6.0.0.96 / 6.0.0-95. Such versions are potentially affected by the following vulnerabilities : - A cross-site scripting (XSS) vulnerability due to a failure to sanitize UTF-7 encoded input. Browsers are only affected if encoding is set to auto-select. (CVE-2008-1468) - An integer overflow in the libxml2 library that can result in a heap overflow. (CVE-2008-4226) - A buffer overflow in the PHP mbstring extension. (CVE-2008-5557) - An unspecified XSS in PHP when last seen 2020-06-01 modified 2020-06-02 plugin id 46015 published 2010-04-27 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46015 title HP System Management Homepage < 6.0.0.96 / 6.0.0-95 Multiple Vulnerabilities NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1888.NASL description Certificates with MD2 hash signatures are no longer accepted by OpenSSL, since they last seen 2020-06-01 modified 2020-06-02 plugin id 44753 published 2010-02-24 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/44753 title Debian DSA-1888-1 : openssl, openssl097 - cryptographic weakness NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0004_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries : - bind - expat - glib2 - Kernel - newt - nfs-utils - NTP - OpenSSH - OpenSSL last seen 2020-06-01 modified 2020-06-02 plugin id 89737 published 2016-03-08 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89737 title VMware ESX Third-Party Libraries Multiple Vulnerabilities (VMSA-2010-0004) (remote check) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200912-01.NASL description The remote host is affected by the vulnerability described in GLSA-200912-01 (OpenSSL: Multiple vulnerabilities) Multiple vulnerabilities have been reported in OpenSSL: Marsh Ray of PhoneFactor and Martin Rex of SAP independently reported that the TLS protocol does not properly handle session renegotiation requests (CVE-2009-3555). The MD2 hash algorithm is no longer considered to be cryptographically strong, as demonstrated by Dan Kaminsky. Certificates using this algorithm are no longer accepted (CVE-2009-2409). Daniel Mentz and Robin Seggelmann reported the following vulnerabilities related to DTLS: A use-after-free flaw (CVE-2009-1379) and a NULL pointer dereference (CVE-2009-1387) in the dtls1_retrieve_buffered_fragment() function in src/d1_both.c, multiple memory leaks in the dtls1_process_out_of_seq_message() function in src/d1_both.c (CVE-2009-1378), and a processing error related to a large amount of DTLS records with a future epoch in the dtls1_buffer_record() function in ssl/d1_pkt.c (CVE-2009-1377). Impact : A remote unauthenticated attacker, acting as a Man in the Middle, could inject arbitrary plain text into a TLS session, possibly leading to the ability to send requests as if authenticated as the victim. A remote attacker could furthermore send specially crafted DTLS packages to a service using OpenSSL for DTLS support, possibly resulting in a Denial of Service. Also, a remote attacker might be able to create rogue certificates, facilitated by a MD2 collision. NOTE: The amount of computation needed for this attack is still very large. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 42968 published 2009-12-02 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42968 title GLSA-200912-01 : OpenSSL: Multiple vulnerabilities NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0009.NASL description a. Service Console update for COS kernel Updated COS package last seen 2020-06-01 modified 2020-06-02 plugin id 46765 published 2010-06-01 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/46765 title VMSA-2010-0009 : ESXi ntp and ESX Service Console third-party updates NASL family SuSE Local Security Checks NASL id SUSE_OPENSSL-6296.NASL description OpenSSL DTLS remote DoS in ChangeCipherSpec (CVE-2009-1386) and in out-of-sequence message handling (CVE-2009-1387) have been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 41573 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41573 title SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 6296) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1335.NASL description Updated openssl packages that fix several security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength general purpose cryptography library. Datagram TLS (DTLS) is a protocol based on TLS that is capable of securing datagram transport (for example, UDP). Multiple denial of service flaws were discovered in OpenSSL last seen 2020-06-01 modified 2020-06-02 plugin id 63892 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63892 title RHEL 5 : openssl (RHSA-2009:1335) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-239.NASL description Multiple vulnerabilities was discovered and corrected in openssl : Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate (CVE-2009-1379). The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a fragment bug. (CVE-2009-1387) The NSS library library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spooof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large (CVE-2009-2409). This update provides a solution to these vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 48153 published 2010-07-30 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/48153 title Mandriva Linux Security Advisory : openssl (MDVSA-2009:239) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0009_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several components and third-party libraries : - libpng - VMnc Codec - vmrun - VMware Remote Console (VMrc) - VMware Tools - vmware-authd last seen 2020-06-01 modified 2020-06-02 plugin id 89740 published 2016-03-08 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89740 title VMware ESX / ESXi Third-Party Libraries and Components (VMSA-2010-0009) (remote check) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-310.NASL description Multiple security vulnerabilities has been identified and fixed in OpenSSL : The dtls1_buffer_record function in ssl/d1_pkt.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote attackers to cause a denial of service (memory consumption) via a large series of future epoch DTLS records that are buffered in a queue, aka DTLS record buffer limitation bug. (CVE-2009-1377) Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka DTLS fragment handling memory leak. (CVE-2009-1378) Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate (CVE-2009-1379). ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello (CVE-2009-1386). The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a fragment bug. (CVE-2009-1387) The NSS library library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spooof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large (CVE-2009-2409). A regression was found with the self signed certificate signatures checking after applying the fix for CVE-2009-2409. An upstream patch has been applied to address this issue. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers The updated packages have been patched to prevent this. last seen 2020-06-01 modified 2020-06-02 plugin id 42996 published 2009-12-04 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42996 title Mandriva Linux Security Advisory : openssl (MDVSA-2009:310) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2009-1335.NASL description Updated openssl packages that fix several security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength general purpose cryptography library. Datagram TLS (DTLS) is a protocol based on TLS that is capable of securing datagram transport (for example, UDP). Multiple denial of service flaws were discovered in OpenSSL last seen 2020-06-01 modified 2020-06-02 plugin id 43785 published 2010-01-06 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43785 title CentOS 5 : openssl (CESA-2009:1335) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2009-238.NASL description Multiple vulnerabilities was discovered and corrected in openssl : Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate (CVE-2009-1379). ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello (CVE-2009-1386). The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a fragment bug. (CVE-2009-1387) The NSS library library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spooof certificates by using MD2 design flaws to generate a hash collision in less than brute-force time. NOTE: the scope of this issue is currently limited because the amount of computation required is still large (CVE-2009-2409). This update provides a solution to these vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 41030 published 2009-09-22 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/41030 title Mandriva Linux Security Advisory : openssl (MDVSA-2009:238) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1547.NASL description According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A NULL pointer dereference flaw was found in OpenSSL last seen 2020-06-01 modified 2020-06-02 plugin id 125000 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125000 title EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1547) NASL family SuSE Local Security Checks NASL id SUSE_11_1_LIBOPENSSL-DEVEL-090609.NASL description OpenSSL DTLS remote DoS in ChangeCipherSpec (CVE-2009-1386) and in out-of-sequence message handling (CVE-2009-1387) have been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 40262 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40262 title openSUSE Security Update : libopenssl-devel (libopenssl-devel-974) NASL family SuSE Local Security Checks NASL id SUSE_LIBOPENSSL-DEVEL-6291.NASL description OpenSSL DTLS remote DoS in ChangeCipherSpec (CVE-2009-1386) and in out-of-sequence message handling (CVE-2009-1387) have been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 39445 published 2009-06-18 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39445 title openSUSE 10 Security Update : libopenssl-devel (libopenssl-devel-6291) NASL family SuSE Local Security Checks NASL id SUSE_11_OPENSSL-090610.NASL description OpenSSL DTLS remote DoS in ChangeCipherSpec (CVE-2009-1386) and in out-of-sequence message handling (CVE-2009-1387) have been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 41443 published 2009-09-24 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/41443 title SuSE 11 Security Update : OpenSSL (SAT Patch Number 990) NASL family SuSE Local Security Checks NASL id SUSE_11_0_LIBOPENSSL-DEVEL-090609.NASL description OpenSSL DTLS remote DoS in ChangeCipherSpec (CVE-2009-1386) and in out-of-sequence message handling (CVE-2009-1387) have been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 40035 published 2009-07-21 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40035 title openSUSE Security Update : libopenssl-devel (libopenssl-devel-974) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL15348.NASL description The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a last seen 2020-06-01 modified 2020-06-02 plugin id 78179 published 2014-10-10 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78179 title F5 Networks BIG-IP : OpenSSL DTLS Buffer vulnerability (SOL15348) NASL family Web Servers NASL id OPENSSL_1_0_0.NASL description According to its banner, the remote server is running a version of OpenSSL 1.0.0 prior to 1.0.0 beta 2. A remote attacker can crash the server by sending an out-of-sequence DTLS handshake message. last seen 2020-06-01 modified 2020-06-02 plugin id 17768 published 2012-01-04 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17768 title OpenSSL 1.0.0 < 1.0.0-beta2 DoS
Oval
accepted 2013-04-29T04:08:15.416-04:00 class vulnerability contributors name Aharon Chernin organization SCAP.com, LLC name Dragos Prisaca organization G2, Inc.
definition_extensions comment The operating system installed on the system is Red Hat Enterprise Linux 5 oval oval:org.mitre.oval:def:11414 comment The operating system installed on the system is CentOS Linux 5.x oval oval:org.mitre.oval:def:15802 comment Oracle Linux 5.x oval oval:org.mitre.oval:def:15459
description The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug." family unix id oval:org.mitre.oval:def:10740 status accepted submitted 2010-07-09T03:56:16-04:00 title The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug." version 18 accepted 2014-01-20T04:01:36.192-05:00 class vulnerability contributors name J. Daniel Brown organization DTCC name Chris Coffin organization The MITRE Corporation
definition_extensions comment VMware ESX Server 4.0 is installed oval oval:org.mitre.oval:def:6293 description The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a "fragment bug." family unix id oval:org.mitre.oval:def:7592 status accepted submitted 2010-06-01T17:30:00.000-05:00 title OpenSSL 'dtls1_retrieve_buffered_fragment()' DTLS Remote Denial of Service Vulnerability version 8
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 35417 CVE(CAN) ID: CVE-2009-1387 OpenSSL是一种开放源码的SSL实现,用来实现网络通信的高强度加密,现在被广泛地用于各种网络应用程序中。 OpenSSL在接收到带有非预期序列号的握手消息时会将其传送给dtls1_process_out_of_seq_message()函数。如果序列号低于预期值,这个函数会丢弃数据;如果为之后的消息,函数会缓冲数据。在丢弃数据时,消息碎片长度保持为0,说明没有缓冲任何数据。由于检查长度所用的错误if条件,有时会缓冲没有数据但长度为丢弃消息长度的碎片,之后在进行处理的时候会导致总线错误。 OpenSSL 0.9.x 厂商补丁: OpenSSL Project --------------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href="http://cvs.openssl.org/chngview?cn=17958" target="_blank" rel=external nofollow>http://cvs.openssl.org/chngview?cn=17958</a> |
id | SSV:11667 |
last seen | 2017-11-19 |
modified | 2009-06-22 |
published | 2009-06-22 |
reporter | Root |
title | OpenSSL dtls1_retrieve_buffered_fragment()函数握手消息拒绝服务漏洞 |
References
- http://cvs.openssl.org/chngview?cn=17958
- http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest
- http://www.openwall.com/lists/oss-security/2009/06/02/1
- http://www.ubuntu.com/usn/USN-792-1
- http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
- http://secunia.com/advisories/35571
- http://secunia.com/advisories/35685
- http://secunia.com/advisories/35729
- ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc
- http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net
- http://secunia.com/advisories/37003
- http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html
- http://security.gentoo.org/glsa/glsa-200912-01.xml
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444
- http://secunia.com/advisories/38794
- http://lists.vmware.com/pipermail/security-announce/2010/000082.html
- http://secunia.com/advisories/38834
- http://www.vupen.com/english/advisories/2010/0528
- http://secunia.com/advisories/36533
- http://www.redhat.com/support/errata/RHSA-2009-1335.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7592
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10740