OpenSSL DTLS invalid segment vulnerability (CVE-2014-0195)
Release date:
Updated on: 2014-06-06
Affected Systems:
OpenSSL Project OpenSSL <1.0.0m
OpenSSL Project OpenSSL <1.0.0h
OpenSSL Project OpenSSL <0.9.8za
Description:
--------------------------------------------------------------------------------
Bugtraq id: 67900
CVE (CAN) ID: CVE-2014-0195
OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.
In OpenSSL versions earlier than 0.9.8za, 1.0.0m, and 1.0.1h, The dtls1_reassemble_fragment function in dsf-both.c does not correctly verify the fragment length in the DTLS ClientHello message. Remote attackers can use ultra-long non-starting fr, attackers can exploit this vulnerability to execute arbitrary code or cause DoS (buffer overflow and application crash ).
OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)
Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian
OpenSSL "heartbleed" Security Vulnerability
Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
<* Source: Jüri Aedla
Link: http://secunia.com/advisories/58403/
Http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002#.U5Ekl_m1bpq
Http://www.openssl.org/news/secadv_20140605.txt
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (secadv_20140605) and corresponding patches:
Secadv_20140605: SSL/tls mitm vulnerability (CVE-2014-0224)
Link: http://www.openssl.org/news/secadv_20140605.txt
OpenSSL details: click here
OpenSSL: click here
This article permanently updates the link address: