|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
OpenSSL: denial of service via ServerKeyExchange
Synthesis of the vulnerability
An attacker can send a malicious ServerKeyExchange message to a client compiled with OpenSSL, in order to trigger a denial of service.
Impacted systems: Tomcat, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, ASA, AsyncOS, Cisco Content SMA, Cisco ESA, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco WSA, Cisco Wireless Controller, HP Switch, IRAD, Tivoli Storage Manager, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, Data ONTAP, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE, Palo Alto Firewall PA***, PAN-OS, Puppet, Slackware, Ubuntu.
Severity of this alert: 2/4.
Consequences of an intrusion: denial of service on client.
Pirate's origin: internet server.
Creation date: 04/12/2015.
Références of this alert: 1972951, 2003480, 2003620, 2003673, 9010051, c05398322, cisco-sa-20151204-openssl, CVE-2015-1794, HPESBHF03709, JSA10759, NTAP-20151207-0001, openSUSE-SU-2016:0637-1, PAN-SA-2016-0020, PAN-SA-2016-0028, SSA:2015-349-04, USN-2830-1, VIGILANCE-VUL-18443.
Description of the vulnerability
The OpenSSL library implements TLS with the anonymous DH ciphersuite.
However, if the TLS server sends a ServerKeyExchange message with a value of p parameter set to zero, a fatal error occurs in the client linked to OpenSSL.
An attacker can therefore send a malicious ServerKeyExchange message to a client compiled with OpenSSL, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides a networks vulnerabilities watch. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.