#VU41411 Race condition in OpenSSL - CVE-2014-3509

Vulnerability identifier: #VU41411

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-3509

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Race condition in the ssl_parse_serverhello_tlsext function in t1_lib.c in OpenSSL 1.0.0 before 1.0.0n and 1.0.1 before 1.0.1i, when multithreading and session resumption are used, allows remote SSL servers to cause a denial of service (memory overwrite and client application crash) or possibly have unspecified other impact by sending Elliptic Curve (EC) Supported Point Formats Extension data.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 1.0.0k - 1.0.0, 1.0.1c - 1.0.1

---

External links
https:ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc
https://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc
https://linux.oracle.com/errata/ELSA-2014-1052.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html
https://lists.opensuse.org/opensuse-updates/2014-08/msg00036.html
https://marc.info/?l=bugtraq&m=142350350616251&w=2
https://marc.info/?l=bugtraq&m=142495837901899&w=2
https://marc.info/?l=bugtraq&m=142624590206005&w=2
https://marc.info/?l=bugtraq&m=142660345230545&w=2
https://marc.info/?l=bugtraq&m=142791032306609&w=2
https://marc.info/?l=bugtraq&m=143290437727362&w=2
https://marc.info/?l=bugtraq&m=143290522027658&w=2
https://rhn.redhat.com/errata/RHSA-2015-0197.html
https://secunia.com/advisories/58962
https://secunia.com/advisories/59700
https://secunia.com/advisories/59710
https://secunia.com/advisories/59756
https://secunia.com/advisories/60022
https://secunia.com/advisories/60221
https://secunia.com/advisories/60493
https://secunia.com/advisories/60684
https://secunia.com/advisories/60803
https://secunia.com/advisories/60917
https://secunia.com/advisories/60921
https://secunia.com/advisories/60938
https://secunia.com/advisories/61017
https://secunia.com/advisories/61100
https://secunia.com/advisories/61139
https://secunia.com/advisories/61184
https://secunia.com/advisories/61775
https://secunia.com/advisories/61959
https://security.gentoo.org/glsa/glsa-201412-39.xml
https://www.debian.org/security/2014/dsa-2998
https://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htm
https://www.mandriva.com/security/advisories?name=MDVSA-2014:158
https://www.securityfocus.com/bid/69084
https://www.securitytracker.com/id/1030693
https://www-01.ibm.com/support/docview.wss?uid=nas8N1020240
https://www-01.ibm.com/support/docview.wss?uid=swg21682293
https://www-01.ibm.com/support/docview.wss?uid=swg21683389
https://www-01.ibm.com/support/docview.wss?uid=swg21686997
https://bugzilla.redhat.com/show_bug.cgi?id=1127498
https://exchange.xforce.ibmcloud.com/vulnerabilities/95159
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=fb0bc2b273bcc2d5401dd883fe869af4fc74bb21
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-September/000196.html
https://support.citrix.com/article/CTX216642
https://techzone.ergon.ch/CVE-2014-3511
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:18.openssl.asc
https://www.openssl.org/news/secadv_20140806.txt

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.