Denial Of Service Vulnerability In OpenSSL June-09 (Linux) Network Vulnerability

Summary

This host has OpenSSL installed and is prone to Denial of Service vulnerability.

Impact

Successful exploitation will allow attacker to cause DTLS server crash. Impact Level: Application Impact Level: Application

Solution

Upgrade to OpenSSL version 0.9.8i or later http://www.openssl.org/source ***** Note: Vulnerability is related to CVE-2009-1386 ***** ***** This might be a False Positive Only version check is being done depending on the publicly available OpenSSL packages. Each vendor might have backported versions of the packages. *****

Insight

A NULL pointer dereference error in ssl/s3_pkt.c file which does not properly check the input packets value via a DTLS ChangeCipherSpec packet that occurs before ClientHello.

Affected

OpenSSL version prior to 0.9.8i on Linux.

References

http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
http://www.openwall.com/lists/oss-security/2009/06/02/1

Updated on 2017-03-28

Severity

Classification

CVE CVE-2009-1386
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:N/I:N/A:P

Related Vulnerabilities

F-Secure Policy Manager Server fsmsh.dll module DoS
ejabberd 'mod_pubsub' Module Denial of Service Vulnerability
FreeType Memory Corruption and Buffer Overflow Vulnerabilities (Windows)
Apple Safari WebKit Property Memory Leak Remote DoS Vulnerability
Apache Subversion 'mod_dav_svn' Module Multiple DoS Vulnerabilities

Denial Of Service Vulnerability in OpenSSL June-09 (Linux)

Take action and discover your vulnerabilities