OpenSSL anonymous ECDH Denial of Service Vulnerability (CVE-2014-3470)

OpenSSL anonymous ECDH Denial of Service Vulnerability (CVE-2014-3470)

Release date:
Updated on: 2014-06-06

Affected Systems:
OpenSSL Project OpenSSL <1.0.0m
OpenSSL Project OpenSSL <1.0.0h
OpenSSL Project OpenSSL <0.9.8za
Description:
--------------------------------------------------------------------------------
Bugtraq id: 67898
CVE (CAN) ID: CVE-2014-3470
 
OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.
 
Ssl3_send_client_key_exchange function in s3_clnt.c files earlier than OpenSSL 0.9.8za, 1.0.0m, and 1.0.1h has a security vulnerability. When an anonymous ECDH password group (anonymous ECDH cipher suite) is used, attackers can launch a Denial of Service (DoS) attack by triggering an empty certificate value (NULL pointer reference causes client crash ).

OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)

Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian

OpenSSL "heartbleed" Security Vulnerability

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
 
<* Source: Felix Grobert
Ivan Fratric, ifsecure@gmail.com)

Link: http://secunia.com/advisories/58403/
Http://www.openssl.org/news/secadv_20140605.txt
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (secadv_20140605) and corresponding patches:
Secadv_20140605: SSL/tls mitm vulnerability (CVE-2014-0224)
Link: http://www.openssl.org/news/secadv_20140605.txt

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: