Info

Disclosure

Sep 28, 2006

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

OpenSSL contains a flaw that may allow a remote denial of service. The issue is triggered when an unspecified error occurs in the get_server_hello function, and will result in loss of availability for the client.

Classification

Location: Remote / Network Access
Attack Type: Denial of Service
Impact: Loss of Availability
Disclosure: OSVDB Verified, Vendor Verified

Solution

Upgrade to version 0.9.7l, 0.9.8d or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

The OpenSSL Project	OpenSSL	0.9.7
		0.9.8

CyberGuard Corporation

SnapGear

3.1.4u1

References

CVE ID: 2006-4343 (see also: NVD)
Secunia Advisory ID: 22094 22116 22130 22165 22166 22172 22186 22193 22207 22212 22216 22220 22232 22240 22259 22260 22284 22298 22330 22385 22460 22487 22500 22544 22626 22758 22772 22791 22799 23038 23155 23280 23309 23340 23351 23680 23785 23915 25889 26329 27012 27021 27031 27051 27229 29413 30124 31492 44532
SCIP VulDB ID: 2577
Related OSVDB ID: 29260 29261 29262
Other Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.asc http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771
http://lists.rpath.com/pipermail/security-announce/2007-October/000259.html
http://security.freebsd.org/advisories/FreeBSD-SA-07:08.openssl.asc
http://www.debian.org/security/2007/dsa-1379
http://www.gentoo.org/security/en/glsa/glsa-200610-11.xml
http://www.gentoo.org/security/en/glsa/glsa-200612-11.xml
http://www.ipcop.org/modules.php?op=modload&name=News&file=article&sid=31&mode=thread&order=0&thold=0
http://www.novell.com/linux/security/advisories/2007_20_sr.html
http://www.ubuntu.com/usn/usn-522-1
http://www.us.debian.org/security/2006/dsa-1185
http://www.xerox.com/downloads/usa/en/c/cert_ESSNetwork_XRX07001_v1.pdf
https://issues.rpath.com/browse/RPL-613
Vendor Specific Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.asc http://docs.info.apple.com/article.html?artnum=304829
http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100
http://kolab.org/security/kolab-vendor-notice-11.txt
http://lists.suse.com/archive/suse-security-announce/2006-Oct/0001.html
http://lists.suse.com/archive/suse-security-announce/2006-Sep/0013.html
http://openbsd.org/errata.html#openssl2
http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.asc
http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946
http://sunsolve.sun.com/search/document.do?assetkey=1-21-121229-02-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102711-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102747-1
http://support.avaya.com/elmodocs2/security/ASA-2006-220.htm
http://support.avaya.com/elmodocs2/security/ASA-2006-262.htm
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
http://www.mandriva.com/security/advisories?name=MDKSA-2006:172-1
http://www.mandriva.com/security/advisories?name=MDKSA-2006:177
http://www.mandriva.com/security/advisories?name=MDKSA-2006:178
http://www.openssl.org/news/secadv_20060928.txt
http://www.trustix.org/errata/2006/0054/
http://www.ubuntu.com/usn/usn-353-1
http://www.us.debian.org/security/2006/dsa-1195
http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html
https://issues.rpath.com/browse/RPL-613
https://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02824490
Keyword: HPSBMA02250,SSRT061275
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0295.html
http://archives.neohapsis.com/archives/bugtraq/2007-08/0069.html
http://seclists.org/bugtraq/2011/May/69
News Article: http://news.com.com/Apple+Mac+OS+X+patch+plugs+31+vulnerabilities/2100-1002_3-6139117.html
Vendor Specific News/Changelog Entry: http://openvpn.net/changelog.html
http://sourceforge.net/forum/forum.php?forum_id=617485
http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227
http://www.cyberguard.info/snapgear/releases.html
http://www.serv-u.com/releasenotes/
http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
Generic Exploit URL: http://www.securiteam.com/exploits/6H00O00KKA.html
RedHat RHSA: RHSA-2006:0695

Credit

Tavis Ormandy - tavisogoogle.com - Google Information Security Team
Will Drewry - wadgoogle.com - Google Security Team

Direct URL: http://osvdb.org/29263

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

The OpenSSL Project

OpenSSL

CyberGuard Corporation

SnapGear

References

Credit