OpenSSL DTLS invalid segment vulnerability (CVE-2014-0195)

OpenSSL DTLS invalid segment vulnerability (CVE-2014-0195)

Release date:
Updated on: 2014-06-06

Affected Systems:
OpenSSL Project OpenSSL <1.0.0m
OpenSSL Project OpenSSL <1.0.0h
OpenSSL Project OpenSSL <0.9.8za
Description:
--------------------------------------------------------------------------------
Bugtraq id: 67900
CVE (CAN) ID: CVE-2014-0195
 
OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications.
 
In OpenSSL versions earlier than 0.9.8za, 1.0.0m, and 1.0.1h, The dtls1_reassemble_fragment function in dsf-both.c does not correctly verify the fragment length in the DTLS ClientHello message. Remote attackers can use ultra-long non-starting fr, attackers can exploit this vulnerability to execute arbitrary code or cause DoS (buffer overflow and application crash ).

OpenSSL TLS heartbeat read remote information leakage (CVE-2014-0160)

Severe OpenSSL bug allows attackers to read 64 KB of memory, fixed in half an hour in Debian

OpenSSL "heartbleed" Security Vulnerability

Provides FTP + SSL/TLS authentication through OpenSSL and implements secure data transmission.
 
<* Source: Jüri Aedla

Link: http://secunia.com/advisories/58403/
Http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002#.U5Ekl_m1bpq
Http://www.openssl.org/news/secadv_20140605.txt
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
OpenSSL Project
---------------
The OpenSSL Project has released a Security Bulletin (secadv_20140605) and corresponding patches:
Secadv_20140605: SSL/tls mitm vulnerability (CVE-2014-0224)
Link: http://www.openssl.org/news/secadv_20140605.txt

OpenSSL details: click here
OpenSSL: click here

This article permanently updates the link address: