oss-sec mailing list archives
Re: Two OpenSSL DTLS remote DoS
From: Tomas Hoger <thoger () redhat com>
Date: Tue, 2 Jun 2009 11:02:33 +0200
Hi! There are 2 more issues that cause DTLS server to crash (NULL pointer dereference DoS), detailed in upstream bug reports linked below. CVE-2009-1386 DTLS: SegFault if ChangeCipherSpec is received before ClientHello http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest http://cvs.openssl.org/chngview?cn=17369 This was first fixed upstream in 0.9.8i. CVE-2009-1387 DTLS fragment bug - out-of-sequence message handling http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest http://cvs.openssl.org/chngview?cn=17958 Here NULL pointer dereference resulting in DTLS server crash can happen in dtls1_retrieve_buffered_fragment() during memcpy from frag->fragment. This is fixed in 1.0.0-beta2, not yet in the latest 0.9.8 available at the moment - 0.9.8k. Both issues should be reproducible by connecting using 1.0.0-beta2 s_client to 0.9.8 s_server. -- Tomas Hoger / Red Hat Security Response Team
Current thread:
- Two OpenSSL DTLS remote DoS Mark J Cox (May 18)
- Re: Two OpenSSL DTLS remote DoS Mark J Cox (May 18)
- Re: Two OpenSSL DTLS remote DoS Tomas Hoger (Jun 02)
- Re: Two OpenSSL DTLS remote DoS Mark J Cox (May 18)