CERT/CC Vulnerability Note VU#465542

Overview

OpenSSL does not properly handle unknown message types, allowing an unauthenticated, remote attacker to cause a denial of service. This vulnerability was addressed in OpenSSL 0.9.6d and 0.9.7.

Description

OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others.

OpenSSL prior to version 0.9.6d does not properly handle unknown message types. An attacker could cause the application using OpenSSL to enter an infinite loop, resulting in a denial of service.

Further information is available in NISCC/224012/OpenSSL/3.

Impact

An unauthenticated, remote attacker could cause a denial of service in an application that uses OpenSSL.

Solution

Upgrade or Patch
This vulnerability was addressed in OpenSSL versions 0.9.6d and 0.9.7. Upgrade to OpenSSL version 0.9.6d or 0.9.7 greater. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to OpenSSL libraries.

Vendor Information

465542

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Cisco Systems Inc. Affected

Debian Affected

Gentoo Linux Affected

Guardian Digital Inc. Affected

NetScreen Affected

OpenSSL Affected

Red Hat Inc. Affected

Apple Computer Inc. Not Affected

3Com Unknown

AT&T Unknown

Alcatel Unknown

Apache Unknown

Apache-SSL Unknown

Avaya Unknown

Borderware Unknown

Certicom Unknown

Check Point Unknown

Clavister Unknown

Computer Associates Unknown

Conectiva Unknown

Covalent Unknown

Cray Inc. Unknown

D-Link Systems Unknown

Dan Bernstein Unknown

EMC Corporation Unknown

Extreme Networks Unknown

F-Secure Unknown

F5 Networks Unknown

Foundry Networks Inc. Unknown

FreeBSD Unknown

FreeS/WAN Unknown

Fujitsu Unknown

Global Technology Associates Unknown

Hewlett-Packard Company Unknown

Hitachi Unknown

IBM Unknown

IP Filter Unknown

Ingrian Networks Unknown

Intel Unknown

Internet Initiative Japan (IIJ) Unknown

Intoto Unknown

Juniper Networks Unknown

KAME Project Unknown

Linksys Unknown

Lotus Software Unknown

Lucent Technologies Unknown

MandrakeSoft Unknown

Microsoft Corporation Unknown

MontaVista Software Unknown

Multi-Tech Systems Inc. Unknown

NEC Corporation Unknown

National Center for Supercomputing Applications (NCSA) Unknown

National Institute of Standards and Technology (NIST) Unknown

NetBSD Unknown

Netfilter Unknown

Network Appliance Unknown

Network Associates Unknown

Nokia Unknown

Nortel Networks Unknown

Novell Unknown

OpenBSD Unknown

Openwall GNU/*/Linux Unknown

Redback Networks Inc. Unknown

Riverstone Networks Unknown

SCO Unknown

SGI Unknown

SSH Communications Security Unknown

SafeNet Unknown

Secure Computing Corporation Unknown

SecureWorx Unknown

Sony Corporation Unknown

Stonesoft Unknown

SuSE Inc. Unknown

Sun Microsystems Inc. Unknown

Symantec Corporation Unknown

TurboLinux Unknown

Unisys Unknown

WatchGuard Unknown

Wind River Systems Inc. Unknown

Wirex Unknown

ZyXEL Unknown

eSoft Unknown

View all 83 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC).

This document was written by Damon Morda and Art Manion.

Other Information

CVE IDs:	CVE-2004-0081
Severity Metric:	5.16
Date Public:	2004-03-17
Date First Published:	2004-03-17
Date Last Updated:	2005-05-06 17:31 UTC
Document Revision:	27

Software Engineering Institute

CERT Coordination Center

OpenSSL does not properly handle unknown message types

Vulnerability Note VU#465542