SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
SecurityTracker Alert ID:  1031513
SecurityTracker URL:  http://securitytracker.com/id/1031513
CVE Reference:   CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206   (Links to External Site)
Date:  Jan 8 2015
Impact:   Denial of service via network, Disclosure of system information, Modification of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to versions 0.9.8zd, 1.0.0p, 1.0.1k
Description:   Several vulnerabilities were reported in OpenSSL. A remote user can cause denial of service conditions. A remote user can downgrade the session security in certain cases.

A remote user can send a specially crafted DTLS message to trigger a null pointer dereference fault in dtls1_get_record() and cause the target service to crash [CVE-2014-3571].

The vendor was notified on October 22, 2014.

Markus Stenberg of Cisco Systems, Inc. reported this vulnerability.

A remote user can send repeated DTLS records with the same sequence number but for the next epoch to trigger a memory leak in dtls1_buffer_record() and consume excessive memory resources on the target system [CVE-2015-0206]. Versions 1.0.0 and 1.0.1 are affected.

The vendor was notified on January 7, 2015.

Chris Mueller reported this vulnerability.

On systems built with the 'no-ssl3' option, a remote user can send a SSLv3 ClientHello message to later trigger a null pointer dereference [CVE-2014-3569].

The vendor was notified on October 17, 2014.

Frank Schmirler reported this vulnerability.

A remote server can initiate a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate but with the server key exchange message omitted to downgrade from ECDHE to ECDH and remove forward secrecy from the ciphersuite [CVE-2014-3572].

The vendor was notifed on October 22, 2014.

Karthikeyan Bhargavan of the PROSECCO team at INRIA reported this vulnerability.

A remote server can supply a weak RSA temporary key for a non-export RSA key exchange ciphersuite to downgrade the session security [CVE-2015-0204].

The vendor was notified on October 22, 2014.

Karthikeyan Bhargavan of the PROSECCO team at INRIA reported this vulnerability.

A remote client can send a DH certificate for client authentication without the certificate verify message to systems that trust a client certificate authority that issues certificates containing DH keys to authenticate without the use of a private key [CVE-2015-0205]. Versions 1.0.0 and 1.0.1 are affected.

The vendor was notified on October 22, 2014.

Karthikeyan Bhargavan of the PROSECCO team at INRIA reported this vulnerability.

A remote user can modify the certificate fingerprint in certain cases [CVE-2014-8275]. Applications that rely on the uniqueness of certificate fingerprints may be affected.

The vendor was notified on December 1, 2014 and December 12, 2014 by separate parties.

Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS program (via NCSC-FI) reported one variant of this vulnerability. Konrad Kraszewski from Google reported another variant of this vulnerability.

Bignum squaring (BN_sqr) may randomly and rarely produce incorrect results on some platforms (including x86_64). The impact was not specified [CVE-2014-3570].

The vendor was notified on November 2, 2014.

Pieter Wuille (Blockstream) reported this vulnerability.

Impact:   A remote user can cause the target system to crash.

A remote user can consume excessive memory resources on the target system.

A remote server can downgrade the session security in certain cases.

A remote user can bypass authentication in certain rare cases.

Solution:   The vendor has issued a fix (0.9.8zd, 1.0.0p, 1.0.1k).

The vendor's advisory is available at:

http://openssl.org/news/secadv_20150108.txt

Vendor URL:  openssl.org/news/secadv_20150108.txt (Links to External Site)
Cause:   Access control error, Authentication error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 15 2015 (FreeBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
FreeBSD has issued a fix for FreeBSD 8.4, 9.3, 10.0, and 10.1.
Jan 22 2015 (Red Hat Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Feb 5 2015 (IBM Issues Fix for IBM AIX) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
IBM has issued a fix for IBM AIX 5.3, 6.1, and 7.1.
Feb 27 2015 (Blue Coat Issues Advisory for Blue Coat Director) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Blue Coat has issued an advisory for Blue Coat Director 6.x.
Feb 27 2015 (Blue Coat Issues Advisory for Blue Coat ProxySG) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Blue Coat has issued an advisory for Blue Coat ProxySG 6.x.
Feb 27 2015 (Blue Coat Issues Advisory for Blue Coat ProxyAV) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Blue Coat has issued an advisory for Blue Coat ProxyAV 3.4 and 3.5.
Mar 11 2015 (Cisco Issues Fix for Cisco WebEx Meetings Server) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco WebEx Meetings Server.
Mar 11 2015 (Cisco Issues Fix for Cisco AnyConnect Secure Mobility Client) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco AnyConnect Secure Mobility Client.
Mar 11 2015 (Cisco Issues Fix for Cisco IOS) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco IOS.
Mar 11 2015 (Cisco Issues Fix for Cisco Application Control Engine) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco ACE30 Application Control Engine Module.
Mar 11 2015 (Cisco Issues Fix for Cisco ASA) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco ASA.
Mar 11 2015 (Cisco Issues Fix for Cisco Web Security Appliance) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco Web Security Appliance.
Mar 11 2015 (Cisco Issues Fix for Cisco Prime Network Registrar) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco Prime Network Registrar.
Mar 11 2015 (Cisco Issues Fix for Cisco Security Manager) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco Security Manager.
Mar 11 2015 (Cisco Issues Fix for Cisco Unified Communications Domain Manager) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco Unified Communications Domain Manager.
Mar 11 2015 (Cisco Issues Fix for Cisco TelePresence) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Cisco has issued a fix for Cisco TelePresence.
Mar 23 2015 (NetBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
Apr 11 2015 (Juniper Issues Fix for Juniper Junos) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Juniper has issued a fix for Juniper Junos.
Apr 11 2015 (Juniper Issues Advisory for Juniper Junos Space) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Juniper has issued an advisory for Juniper Junos Space.
Apr 11 2015 (Juniper Issues Fix for Juniper SRC) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Juniper has issued an advisory for Juniper SRC Series.
Apr 11 2015 (Juniper Issues Fix for Juniper SBR Carrier) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Juniper has issued an advisory for Juniper SBR Carrier.
Apr 11 2015 (Juniper Issues Advisory for ScreenOS) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Juniper has issued an advisory for ScreenOS (NetScreen).
Apr 11 2015 (Juniper Issues Advisory for Juniper IDP) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Juniper has issued an advisory for Juniper IDP.
Apr 13 2015 (Red Hat Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Apr 13 2015 (HP Issues Fix for HP OpenVMS) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
HP has issued a fix for OpenVMS 8.3, 8.3-1H1, and 8.4.
Apr 14 2015 (Oracle Issues Fix for Java) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Oracle has issued a fix for Java.
May 4 2015 (Splunk Issues Fix for Splunk) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Splunk has issued a fix for Splunk Enterprise and Light.
May 20 2015 (HP Issues Fix for HP-UX) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
HP has issued a fix for HP-UX 11.11, 11.23, and 11.31.
May 29 2015 (Splunk Issues Fix for Splunk Enterprise) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Splunk has issued a fix for Splunk Enterprise.
Jun 9 2015 (Juniper Issues Fix for Juniper Pulse Desktop) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Juniper has issued a fix for Juniper Pulse Desktop.
Jun 9 2015 (Juniper and Microsoft Issue Fix for Juniper Pulse Secure) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Juniper and Microsoft have issued a fix for the Juniper Pulse client.
Jul 11 2015 (IBM Issues Fix for IBM Tivoli Netcool/OMNIbus) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
IBM has issued a fix for IBM Tivoli Netcool/OMNIbus.
Jul 15 2015 (Oracle Issues Fix for Sun Integrated Lights-Out Manager) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Oracle has issued a fix for Sun Integrated Lights-Out Manager.
Jul 15 2015 (Oracle Issues Fix for Sun SPARC Enterprise Server) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Oracle has issued a fix for Sun SPARC Enterprise Server.
Jul 15 2015 (Oracle Issues Fix for Oracle HTTP Server) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Oracle has issued a fix for Oracle HTTP Server.
Jul 17 2015 (Brocade Issues Advisory for Brocade Switches) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Brocade has issued an advisory for Brocade Switches.
Jul 18 2015 (Brocade Communications Systems Issues Fix for Brocade Switch) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
Brocade Communications Systems has issued an advisory for Brocade Switch.
Aug 21 2015 (NetBSD Issues Fix) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
NetBSD has issued a fix for NetBSD 5.1, 5.2, 6.0, and 6.1.
Aug 21 2015 (HP Issues Fix for HP Network Node Manager) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
HP has issued a fix for HP Network Node Manager.
Aug 26 2015 (HP Issues Fix for Version Control Repository Manager) OpenSSL Bugs Let Remote Users Deny Service and Downgrade Session Security
HP has issued a fix for Version Control Repository Manager.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC