CERTVU:520586OpenSSL TLS handshake Denial of Service
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.047 Low
EPSS
Percentile
92.5%
Overview
A vulnerability exists in OpenSSL that may allow a remote attacker to cause a denial of service.
Description
OpenSSL contains a vulnerability in the way specially crafted TLS handshake packets are handled that may result in a denial of service. According to OpenSSL Security Advisory [28-Mar-2008]:
β¦ if the βServer Key exchange messageβ is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash.
Note that this issue may affect OpenSSL versions prior to 0.9.8h.
Impact
A remote, unauthorized attacker may be able to cause a denial of service.
Solution
Upgrade or Apply Patch
OpenSSL has issued an upgrade and a patch to address this issue. See OpenSSL Security Advisory [28-Mar-2008] for more information. OpenSSL is included in various Linux and UNIX distributions. Please consult the relevant documentation of your distribution to obtain the appropriate updates.
Vendor Information
520586
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
OpenSSL __ Affected
Updated: May 30, 2008
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
OpenSSL has issued an upgrade and a patch to address this issue. See OpenSSL Security Advisory [28-Mar-2008] for more information.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23520586 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.securityfocus.com/bid/29405>
- <http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html>
- <http://secunia.com/advisories/30405/>
- <http://www.openssl.org/news/secadv_20080528.txt>
Acknowledgements
This issue was reported in OpenSSL Security Advisory [28-Mar-2008]. OpenSSL credits Codenomicon for reporting these issues.
This document was written by Chris Taschner.
Other Information
| CVE IDs: | CVE-2008-1672 |
|---|---|
| Severity Metric: | 14.70 Date Public: |
Related
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.047 Low
EPSS
Percentile
92.5%