Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 2 Jun 2009 11:02:33 +0200
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Two OpenSSL DTLS remote DoS

Hi!

There are 2 more issues that cause DTLS server to crash (NULL pointer
dereference DoS), detailed in upstream bug reports linked below.


CVE-2009-1386
DTLS: SegFault if ChangeCipherSpec is received before ClientHello

http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17369

This was first fixed upstream in 0.9.8i.


CVE-2009-1387
DTLS fragment bug - out-of-sequence message handling

http://rt.openssl.org/Ticket/Display.html?id=1838&user=guest&pass=guest
http://cvs.openssl.org/chngview?cn=17958

Here NULL pointer dereference resulting in DTLS server crash can happen in
dtls1_retrieve_buffered_fragment() during memcpy from frag->fragment.

This is fixed in 1.0.0-beta2, not yet in the latest 0.9.8 available at
the moment - 0.9.8k.


Both issues should be reproducible by connecting using 1.0.0-beta2
s_client to 0.9.8 s_server.

-- 
Tomas Hoger / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.