(Debian Issues Fix) OpenSSL DTLS Processing Bugs Let Remote Users Deny Service and Execute Arbitrary Code
SecurityTracker Alert ID: 1030355|
SecurityTracker URL: http://securitytracker.com/id/1030355
(Links to External Site)
Date: Jun 5 2014
Denial of service via network, Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): prior to versions 0.9.8za, 1.0.0m, 1.0.1h|
Two vulnerabilities were reported in OpenSSL. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions.|
A remote user can send specially crafted DTLS fragments to the target DTLS client or server to trigger a buffer overflow and execute arbitrary code on the target system [CVE-2014-0195]. Only applications using OpenSSL as a DTLS client or server are affected.
The vendor was notified on April 23, 2014.
Juri Aedla reported this vulnerability (via HP's ZDI).
A remote server can send a specially crafted DTLS handshake to the target DTLS client to trigger a recursion flaw and cause the target service to crash [CVE-2014-0221]. Only applications using OpenSSL as a DTLS client are affected.
The vendor was notified on May 9, 2014.
Imre Rad (Search-Lab Ltd.) reported this vulnerability.
A remote user can execute arbitrary code on the target system.|
A remote user can cause the target service to crash.
Debian has issued a fix.|
The Debian advisory is available at:
Vendor URL: www.openssl.org/news/secadv_20140605.txt (Links to External Site)
Boundary error, State error|
|Underlying OS: Linux (Debian)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [SECURITY] [DSA 2950-1] openssl security update|
-----BEGIN PGP SIGNED MESSAGE-----
Debian Security Advisory DSA-2950-1 firstname.lastname@example.org
http://www.debian.org/security/ Moritz Muehlenhoff
June 05, 2014 http://www.debian.org/security/faq
Package : openssl
CVE ID : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470
Multiple vulnerabilities have been discovered in OpenSSL:
Jueri Aedla discovered that a buffer overflow in processing DTLS
fragments could lead to the execution of arbitrary code or denial
Imre Rad discovered the processing of DTLS hello packets is
susceptible to denial of service.
KIKUCHI Masashi discovered that carefully crafted handshakes can
force the use of weak keys, resulting in potential man-in-the-middle
Felix Groebert and Ivan Fratric discovered that the implementation of
anonymous ECDH ciphersuites is suspectible to denial of service.
Additional information can be found at
For the stable distribution (wheezy), these problems have been fixed in
version 1.0.1e-2+deb7u10. All applications linked to openssl need to
be restarted. You can use the tool checkrestart from the package
debian-goodies to detect affected programs or reboot your system. There's
also a forthcoming security update for the Linux kernel later the day
(CVE-2014-3153), so you need to reboot anyway. Perfect timing, isn't it?
For the unstable distribution (sid), these problems will be fixed soon.
We recommend that you upgrade your openssl packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/
Mailing list: email@example.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----