Name:
OpenSSL.Server.Name.Extension.DoS
Released Date:
Jun 2 2008
Severity:
medium
CVE:
2008-0891
Bugtraq:
29405

FortiGuard Center > Vulnerability Encyclopedia


In-Depth Analysis

Description
This indicates an attempt to exploit a memory access vulnerability in the OpenSSL server.

The OpenSSL server in a vulnerable system does not properly validate the server name extension received in the 'Hello' packet from a Client. A remote attacker could send a specially crafted 'Hello' packet, which contains \x00 as server name extension, to the OpenSSL server on a vulnerable system. This will cause a memory access error in the OpenSSL server, leading to a crash and a denial of service.
 
Impact
Denial of Service: Remote attackers can crash vulnerable systems.
 
Affected Products
OpenSSL versions 0.9.8f and 0.9.8g.
Aliases
References
http://www.securityfocus.com/bid/29405
http://www.frsirt.com/english/advisories/2008/1680
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0891
http://secunia.com/advisories/30405/
Recommended Actions
Update to OpenSSL version 0.9.8h.

 
 
SITE MAP  |  LEGAL NOTICES

      © 2003 FORTINET INC. ALL RIGHTS RESERVED