#VU33336 Input validation error in OpenSSL - CVE-2010-2939


| Updated: 2020-08-04

Vulnerability identifier: #VU33336

Vulnerability risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2010-2939

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows context-dependent attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime.

Mitigation
Update to version 1.0.0b.

Vulnerable software versions

OpenSSL: 1.0.0a

External links
https://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html
https://marc.info/?l=bugtraq&m=130331363227777&w=2
https://seclists.org/fulldisclosure/2010/Aug/84
https://secunia.com/advisories/40906
https://secunia.com/advisories/41105
https://secunia.com/advisories/42309
https://secunia.com/advisories/42413
https://secunia.com/advisories/43312
https://security.FreeBSD.org/advisories/FreeBSD-SA-10:10.openssl.asc
https://securitytracker.com/id?1024296
https://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.668793
https://www.debian.org/security/2010/dsa-2100
https://www.mail-archive.com/openssl-dev@openssl.org/msg28043.html
https://www.mail-archive.com/openssl-dev@openssl.org/msg28045.html
https://www.mail-archive.com/openssl-dev@openssl.org/msg28049.html
https://www.openwall.com/lists/oss-security/2010/08/11/6
https://www.securityfocus.com/archive/1/516397/100/0/threaded
https://www.ubuntu.com/usn/USN-1003-1
https://www.vmware.com/security/advisories/VMSA-2011-0003.html
https://www.vupen.com/english/advisories/2010/2038
https://www.vupen.com/english/advisories/2010/2229
https://www.vupen.com/english/advisories/2010/3077

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Input validation error in openssl (Alpine package)
Input validation error in OpenSSL