PT-2014-1702 · Gentoo+7 · Gentoo Linux+7

Published

2014-08-06

Updated

2024-06-15

CVE-2014-3511

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions OpenSSL versions prior to 1.0.1j Gentoo Linux (affected versions not specified)

Description The issue allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue. This can be exploited remotely and may lead to a violation of confidentiality, integrity, and availability of protected information. The vulnerability is in the ssl23 get client hello function in s23 srvr.c.

Recommendations For OpenSSL versions prior to 1.0.1j, update to version 1.0.1j or later to resolve the issue. As a temporary workaround, consider restricting the use of TLS 1.0 until a patch is available. Avoid using the ssl23 get client hello function in s23 srvr.c until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

ALT-PU-2014-2312

BDU:2015-00652

BDU:2015-09775

CESA-2014_1052

CVE-2014-3511

DSA-2998-1

MGASA-2014-0325

OPENSUSE-SU-2024:10271-1

OPENSUSE-SU-2024:10309-1

OPENSUSE-SU-2024:10529-1

OPENSUSE-SU-2024:11127-1

RHSA-2014:1052

RHSA-2014:1054

RHSA-2014_1052

RHSA-2015:0126

RHSA-2015:0197

SUSE-FU-2022:0445-1

SUSE-RU-2015:0769-1

SUSE-SU-2015:0546-1

SUSE-SU-2015:1185-1

USN-2308-1

Affected Products

Alt Linux

Centos

Gentoo Linux

Ibm Aix

Openssl

Red Hat

Suse

Ubuntu

PT-2014-1702 · Gentoo+7 · Gentoo Linux+7

CVE-2014-3511

Related Identifiers

Affected Products

References · 280