Info

Disclosure

Sep 28, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered when large values in X.509 certificates require extra time to process, and may result in loss of availability for the service.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 0.9.7l, 0.9.8d or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

The OpenSSL Project	OpenSSL	0.9.7
		0.9.8

CyberGuard Corporation

SnapGear

3.1.4u1

References

CVE ID: 2006-2940 (see also: NVD)
Secunia Advisory ID: 22094 22116 22130 22165 22166 22172 22186 22193 22207 22212 22216 22220 22232 22240 22259 22260 22284 22298 22330 22385 22460 22487 22500 22544 22626 22671 22689 22758 22772 22799 22898 23038 23155 23280 23309 23340 23351 23680 23785 23915 24930 24950 25420 25889 26329 26893 27012 27021 27031 27051 27229 27706 29413 30124 31492 31531 44532
SCIP VulDB ID: 2575
Related OSVDB ID: 29260 29262 29263
Other Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00967144&jumpid=reg_R1002_USEN
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
http://lists.rpath.com/pipermail/security-announce/2007-October/000259.html
http://lists.rpath.com/pipermail/security-announce/2007-September/000252.html
http://marc.theaimsgroup.com/?l=bind-announce&m=116253119512445&w=2
http://security.freebsd.org/advisories/FreeBSD-SA-07:08.openssl.asc
http://support.attachmate.com/techdocs/2374.html
http://www.debian.org/security/2007/dsa-1379
http://www.gentoo.org/security/en/glsa/glsa-200610-11.xml
http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
http://www.gentoo.org/security/en/glsa/glsa-200711-23.xml
http://www.ipcop.org/modules.php?op=modload&name=News&file=article&sid=31&mode=thread&order=0&thold=0
http://www.novell.com/linux/security/advisories/2007_20_sr.html
http://www.trustix.org/errata/2006/0063/
http://www.ubuntu.com/usn/usn-522-1
http://www.us.debian.org/security/2006/dsa-1185
http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf
https://issues.rpath.com/browse/RPL-613
Vendor Specific Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc http://docs.info.apple.com/article.html?artnum=304829
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
http://kolab.org/security/kolab-vendor-notice-11.txt
http://lists.suse.com/archive/suse-security-announce/2006-Oct/0001.html
http://lists.suse.com/archive/suse-security-announce/2006-Sep/0013.html
http://openbsd.org/errata.html#openssl2
http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.566955
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1
http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
http://support.avaya.com/elmodocs2/security/ASA-2006-262.htm
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
http://www.mandriva.com/security/advisories?name=MDKSA-2006:172-1
http://www.mandriva.com/security/advisories?name=MDKSA-2006:177
http://www.mandriva.com/security/advisories?name=MDKSA-2006:178
http://www.openssl.org/news/secadv_20060928.txt
http://www.trustix.org/errata/2006/0054/
http://www.ubuntu.com/usn/usn-353-1
http://www.us.debian.org/security/2006/dsa-1195
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
https://issues.rpath.com/browse/RPL-613
https://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02824490
Keyword: HPSBMA02250,SSRT061275 HPSBTU02207,SSRT061239,c00967144
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0295.html
http://archives.neohapsis.com/archives/bugtraq/2007-06/0347.html
http://archives.neohapsis.com/archives/bugtraq/2007-08/0069.html
http://seclists.org/bugtraq/2011/May/69
News Article: http://news.com.com/Apple+Mac+OS+X+patch+plugs+31+vulnerabilities/2100-1002_3-6139117.html
Vendor Specific News/Changelog Entry: http://openvpn.net/changelog.html
http://sourceforge.net/forum/forum.php?forum_id=617485
http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
http://www.cyberguard.info/snapgear/releases.html
http://www.ingate.com/relnote-452.php
http://www.serv-u.com/releasenotes/
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
RedHat RHSA: RHSA-2006:0695

Credit

Dr. S. N. Henson - The OpenSSL Project
Open Network Security - Open Network Security

Direct URL: http://osvdb.org/29261

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

The OpenSSL Project

OpenSSL

CyberGuard Corporation

SnapGear

References

Credit