PT-2014-1949 · Openssl+5 · Openssl+8

Published

2014-12-11

Updated

2024-06-15

CVE-2014-3569

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8zc through 1.0.1j

Description The issue is related to the ssl23 get client hello function in s23 srvr.c of the OpenSSL library, which incorrectly handles outdated protocols. This can be exploited by a remote attacker to cause a denial of service, resulting in a daemon crash due to a NULL pointer dereference. The exploitation can occur through an unexpected handshake, such as an SSLv3 handshake to a non-SSLv3 application with specific error handling.

Recommendations For OpenSSL versions 0.9.8zc through 1.0.1j, consider updating to a version that properly handles attempts to use unsupported protocols, or apply configuration changes to restrict the use of outdated protocols until a patch is available. As a temporary workaround, consider disabling the ssl23 get client hello function until a patch is available to prevent potential exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2015-1023

ALT-PU-2015-2113

BDU:2015-09980

CVE-2014-3569

DLA-81-1

DSA-3125-1

HPSBUX03162

HPSBUX03244

MGASA-2015-0022

OPENSUSE-SU-2015_0130-1

OPENSUSE-SU-2016_0640-1

OPENSUSE-SU-2024:10271-1

OPENSUSE-SU-2024:10529-1

OPENSUSE-SU-2024:11127-1

SUSE-SU-2015:0620-1

SUSE-SU-2015:0946-1

SUSE-SU-2015:1177-1

SUSE-SU-2015_0946-1

Affected Products

Alt Linux

Cisco Ios

Cisco Ios Xe

Cisco Nexus

Cisco Wls

Hp-Ux

Junos

Openssl

Suse

PT-2014-1949 · Openssl+5 · Openssl+8

CVE-2014-3569

Weakness Enumeration

Related Identifiers

Affected Products

References · 450