PT-2014-1691 · Openssl+8 · Openssl+8

Publicado

2014-10-15

·

Atualizado

2024-06-15

·

CVE-2014-3567

CVSS v2.0

7.1

Alta

VetorAV:N/AC:M/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 0.9.8zc OpenSSL versions prior to 1.0.0o OpenSSL versions prior to 1.0.1j
Description The issue is related to a memory leak in the tls decrypt ticket function, which can be exploited by remote attackers to cause a denial of service due to excessive memory consumption. This can be achieved by sending a specially crafted session ticket that triggers an integrity-check failure. The estimated number of potentially affected devices and details about real-world incidents are not provided.
Recommendations For OpenSSL versions prior to 0.9.8zc, update to version 0.9.8zc or later. For OpenSSL versions prior to 1.0.0o, update to version 1.0.0o or later. For OpenSSL versions prior to 1.0.1j, update to version 1.0.1j or later. As a temporary workaround, consider restricting access to the tls decrypt ticket function in the t1 lib.c file until a patch is available.

Exploit

Correção

DoS

RCE

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-399CWE-20

Identificadores relacionados

ALT-PU-2014-2312
BDU:2015-00640
BDU:2015-09775
CESA-2014_1652
CVE-2014-3567
DLA-81-1
DSA-3053-1
HPSBUX03162
MGASA-2014-0416
OPENSUSE-SU-2014_1331-1
OPENSUSE-SU-2016_0640-1
OPENSUSE-SU-2024:10271-1
OPENSUSE-SU-2024:10529-1
OPENSUSE-SU-2024:11127-1
RHSA-2014:1652
RHSA-2014:1692
RHSA-2014_1652
RHSA-2015:0126
SUSE-FU-2022:0445-1
SUSE-RU-2015:0769-1
SUSE-SU-2015:0545-1
SUSE-SU-2015:0545-2
SUSE-SU-2015:0546-1
SUSE-SU-2015:1182-1
SUSE-SU-2015:1182-2
SUSE-SU-2015:1184-1
SUSE-SU-2015:1184-2
SUSE-SU-2015:1185-1
SUSE-SU-403
USN-2385-1

Produtos afetados

Alt Linux
Centos
Hp-Ux
Ibm Aix
Openssl
Red Hat
Suse
Ubuntu
Vmware Vcenter