Cryptographic issues in openssl (Alpine package)

Published: 2014-01-14

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2013-6450
CWE-ID	CWE-310
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	openssl (Alpine package) Operating systems & Components / Operating system package or component
Vendor	Alpine Linux Development Team

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Cryptographic issues

EUVDB-ID: #VU32590

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-6450

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.

Mitigation

Install update from vendor's website.

Vulnerable software versions

openssl (Alpine package): 1.0.0c-r0 - 1.0.1b-r0

CPE2.3

External links

https://git.alpinelinux.org/aports/commit/?id=e8b94d00c8dddd125fe6dca0098b42a33680c02e
https://git.alpinelinux.org/aports/commit/?id=566868b54f5934c3805e86a40fb1ac254e22409e
https://git.alpinelinux.org/aports/commit/?id=a36c8fc70ef138aa409a41c166b569e4e3ad25f0

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.