#VU32589 Cryptographic issues in OpenSSL - CVE-2013-6449

Cybersecurity Help s.r.o.

Published: 2013-12-24 | Updated: 2020-07-28

Vulnerability identifier: #VU32589

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-6449

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The ssl_get_algorithm2 function in ssl/s3_lib.c in OpenSSL before 1.0.2 obtains a certain version number from an incorrect data structure, which allows remote attackers to cause a denial of service (daemon crash) via crafted traffic from a TLS 1.2 client.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 1.0.0o - 1.0.0p, 1.0.1t - 1.0.1p

External links
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=ca989269a2876bae79393bd54c3e72d49975fc75
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124833.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124854.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-December/124858.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
https://lists.opensuse.org/opensuse-updates/2014-01/msg00006.html
https://lists.opensuse.org/opensuse-updates/2014-01/msg00009.html
https://lists.opensuse.org/opensuse-updates/2014-01/msg00012.html
https://lists.opensuse.org/opensuse-updates/2014-01/msg00031.html
https://rhn.redhat.com/errata/RHSA-2014-0015.html
https://rhn.redhat.com/errata/RHSA-2014-0041.html
https://rt.openssl.org/Ticket/Display.html?id=3200&user=guest&pass=guest
https://seclists.org/fulldisclosure/2014/Dec/23
https://security.gentoo.org/glsa/glsa-201412-39.xml
https://www.debian.org/security/2014/dsa-2833
https://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
https://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
https://www.securityfocus.com/archive/1/534161/100/0/threaded
https://www.securityfocus.com/bid/64530
https://www.securitytracker.com/id/1029548
https://www.ubuntu.com/usn/USN-2079-1
https://www.vmware.com/security/advisories/VMSA-2014-0012.html
https://www-01.ibm.com/support/docview.wss?uid=isg400001841
https://www-01.ibm.com/support/docview.wss?uid=isg400001843
https://bugzilla.redhat.com/show_bug.cgi?id=1045363
https://issues.apache.org/jira/browse/TS-2355

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems

Gentoo update for OpenSSL

Amazon Linux AMI update for openssl

Cryptographic issues in openssl (Alpine package)

Slackware Linux update for openssl

Cryptographic issues in OpenSSL