CVE-2014-3510

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8 before 0.9.8zb OpenSSL versions 1.0.0 before 1.0.0n OpenSSL versions 1.0.1 before 1.0.1i

Description The issue allows remote DTLS servers to cause a denial of service, resulting in a client application crash due to a NULL pointer dereference. This can be achieved by sending a crafted handshake message in conjunction with an anonymous DH or ECDH ciphersuite. The estimated number of potentially affected devices and details about real-world incidents are not provided.

Recommendations For OpenSSL versions 0.9.8 before 0.9.8zb, update to version 0.9.8zb or later. For OpenSSL versions 1.0.0 before 1.0.0n, update to version 1.0.0n or later. For OpenSSL versions 1.0.1 before 1.0.1i, update to version 1.0.1i or later. As a temporary workaround, consider disabling the use of anonymous DH or ECDH ciphersuites until a patch is available. Restrict access to DTLS servers to minimize the risk of exploitation. Avoid using the ssl3 send client key exchange function in the affected s3 clnt.c file until the issue is resolved.