Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to execute arbitrary code via unspecified vectors.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssl packages installed that are affected by multiple vulnerabilities:

  - OpenSSL 1.0.2 (starting from version 1.0.2b) introduced     an error state mechanism. The intent was that if a     fatal error occurred during a handshake then OpenSSL     would move into the error state and would immediately     fail if you attempted to continue the handshake. This     works as designed for the explicit handshake functions     (SSL_do_handshake(), SSL_accept() and SSL_connect()),     however due to a bug it does not work correctly if     SSL_read() or SSL_write() is called directly. In that     scenario, if the handshake fails then a fatal error will     be returned in the initial function call. If     SSL_read()/SSL_write() is subsequently called by the     application for the same SSL object then it will succeed     and the data is passed without being decrypted/encrypted     directly from the SSL/TLS record layer. In order to     exploit this issue an application bug would have to be     present that resulted in a call to     SSL_read()/SSL_write() being issued after having already     received a fatal error. OpenSSL version 1.0.2b-1.0.2m     are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is     not affected. (CVE-2017-3737)

  - There is an overflow bug in the AVX2 Montgomery     multiplication procedure used in exponentiation with     1024-bit moduli. No EC algorithms are affected. Analysis     suggests that attacks against RSA and DSA as a result of     this defect would be very difficult to perform and are     not believed likely. Attacks against DH1024 are     considered just feasible, because most of the work     necessary to deduce information about a private key may     be performed offline. The amount of resources required     for such an attack would be significant. However, for an     attack on TLS to be meaningful, the server would have to     share the DH1024 private key among multiple clients,     which is no longer an option since CVE-2016-0701. This     only affects processors that support the AVX2 but not     ADX extensions like Intel Haswell (4th generation).
    Note: The impact from this issue is similar to     CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL     version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected.
    Fixed in OpenSSL 1.0.2n. Due to the low severity of this     issue we are not issuing a new release of OpenSSL 1.1.0     at this time. The fix will be included in OpenSSL 1.1.0h     when it becomes available. The fix is also available in     commit e502cc86d in the OpenSSL git repository.
    (CVE-2017-3738)

  - There is a carry propagating bug in the x86_64     Montgomery squaring procedure in OpenSSL before 1.0.2m     and 1.1.0 before 1.1.0g. No EC algorithms are affected.
    Analysis suggests that attacks against RSA and DSA as a     result of this defect would be very difficult to perform     and are not believed likely. Attacks against DH are     considered just feasible (although very difficult)     because most of the work necessary to deduce information     about a private key may be performed offline. The amount     of resources required for such an attack would be very     significant and likely only accessible to a limited     number of attackers. An attacker would additionally need     online access to an unpatched system using the target     private key in a scenario with persistent DH parameters     and a private key that is shared between multiple     clients. This only affects processors that support the     BMI1, BMI2 and ADX extensions like Intel Broadwell (5th     generation) and later or AMD Ryzen. (CVE-2017-3736)

  - OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d     allows remote attackers to cause a denial of service     (infinite loop and memory consumption) via malformed     ASN.1 structures that trigger an improperly handled     error condition. (CVE-2006-2937)

  - OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and     earlier versions allows attackers to cause a denial of     service (CPU consumption) via parasitic public keys with     large (1) public exponent or (2) public modulus     values in X.509 certificates that require extra time to     process when using RSA signature verification.
    (CVE-2006-2940)

  - Buffer overflow in the SSL_get_shared_ciphers function     in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and     earlier versions has unspecified impact and remote     attack vectors involving a long list of ciphers.
    (CVE-2006-3738)

  - OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8     before 0.9.8c, when using an RSA key with exponent 3,     removes PKCS-1 padding before generating a hash, which     allows remote attackers to forge a PKCS #1 v1.5     signature that is signed by that RSA key and prevents     OpenSSL from correctly verifying X.509 and other     certificates that use PKCS #1. (CVE-2006-4339)

  - The get_server_hello function in the SSLv2 client code     in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and     earlier versions allows remote servers to cause a denial     of service (client crash) via unknown vectors that     trigger a null pointer dereference. (CVE-2006-4343)

  - The BN_from_montgomery function in crypto/bn/bn_mont.c     in OpenSSL 0.9.8e and earlier does not properly perform     Montgomery multiplication, which might allow local users     to conduct a side-channel attack and retrieve RSA     private keys. (CVE-2007-3108)

  - Off-by-one error in the DTLS implementation in OpenSSL     0.9.8 before 0.9.8f allows remote attackers to execute     arbitrary code via unspecified vectors. (CVE-2007-4995)

  - Off-by-one error in the SSL_get_shared_ciphers function     in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f,     might allow remote attackers to execute arbitrary code     via a crafted packet that triggers a one-byte buffer     underflow. NOTE: this issue was introduced as a result     of a fix for CVE-2006-3738. As of 20071012, it is     unknown whether code execution is possible.
    (CVE-2007-5135)

  - Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g,     when the TLS server name extensions are enabled, allows     remote attackers to cause a denial of service (crash)     via a malformed Client Hello packet. NOTE: some of these     details are obtained from third party information.
    (CVE-2008-0891)

  - OpenSSL 0.9.8f and 0.9.8g allows remote attackers to     cause a denial of service (crash) via a TLS handshake     that omits the Server Key Exchange message and uses     particular cipher suites, which triggers a NULL     pointer dereference. (CVE-2008-1672)

  - The dtls1_buffer_record function in ssl/d1_pkt.c in     OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote     attackers to cause a denial of service (memory     consumption) via a large series of future epoch DTLS     records that are buffered in a queue, aka DTLS record     buffer limitation bug. (CVE-2009-1377)

  - Multiple memory leaks in the     dtls1_process_out_of_seq_message function in     ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8     versions allow remote attackers to cause a denial of     service (memory consumption) via DTLS records that (1)     are duplicates or (2) have sequence numbers much greater     than current sequence numbers, aka DTLS fragment     handling memory leak. (CVE-2009-1378)

  - Use-after-free vulnerability in the     dtls1_retrieve_buffered_fragment function in     ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote     attackers to cause a denial of service (openssl s_client     crash) and possibly have unspecified other impact via a     DTLS packet, as demonstrated by a packet from a server     that uses a crafted server certificate. (CVE-2009-1379)

  - The TLS protocol, and the SSL protocol 3.0 and possibly     earlier, as used in Microsoft Internet Information     Services (IIS) 7.0, mod_ssl in the Apache HTTP Server     2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5     and earlier, Mozilla Network Security Services (NSS)     3.12.4 and earlier, multiple Cisco products, and other     products, does not properly associate renegotiation     handshakes with an existing connection, which allows     man-in-the-middle attackers to insert data into HTTPS     sessions, and possibly other types of sessions protected     by TLS or SSL, by sending an unauthenticated request     that is processed retroactively by a server in a post-     renegotiation context, related to a plaintext     injection attack, aka the Project Mogul issue.
    (CVE-2009-3555)

  - Memory leak in the zlib_stateful_finish function in     crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and     1.0.0 Beta through Beta 4 allows remote attackers to     cause a denial of service (memory consumption) via     vectors that trigger incorrect calls to the     CRYPTO_cleanup_all_ex_data function, as demonstrated by     use of SSLv3 and PHP with the Apache HTTP Server, a     related issue to CVE-2008-1678. (CVE-2009-4355)

  - The Cryptographic Message Syntax (CMS) implementation in     crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x     before 1.0.0a does not properly handle structures that     contain OriginatorInfo, which allows context-dependent     attackers to modify invalid memory locations or conduct     double-free attacks, and possibly execute arbitrary     code, via unspecified vectors. (CVE-2010-0742)

  - RSA verification recovery in the EVP_PKEY_verify_recover     function in OpenSSL 1.x before 1.0.0a, as used by     pkeyutl and possibly other applications, returns     uninitialized memory upon failure, which might allow     context-dependent attackers to bypass intended key     requirements or obtain sensitive information via     unspecified vectors. NOTE: some of these details are     obtained from third party information. (CVE-2010-1633)

  - Multiple race conditions in ssl/t1_lib.c in OpenSSL     0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-     threading and internal caching are enabled on a TLS     server, might allow remote attackers to execute     arbitrary code via client data that triggers a heap-     based buffer overflow, related to (1) the TLS server     name extension and (2) elliptic curve cryptography.
    (CVE-2010-3864)

  - OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does     not properly prevent modification of the ciphersuite in     the session cache, which allows remote attackers to     force the downgrade to an unintended cipher via vectors     involving sniffing network traffic to discover a session     identifier. (CVE-2010-4180)

  - ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0     through 1.0.0c allows remote attackers to cause a denial     of service (crash), and possibly obtain sensitive     information in applications that use OpenSSL, via a     malformed ClientHello handshake message that triggers an     out-of-bounds memory access, aka OCSP stapling     vulnerability. (CVE-2011-0014)

  - crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e     does not initialize certain structure members, which     makes it easier for remote attackers to bypass CRL     validation by using a nextUpdate value corresponding to     a time in the past. (CVE-2011-3207)

  - OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS     applications, which allows remote attackers to cause a     denial of service (crash) via unspecified vectors     related to an out-of-bounds read. NOTE: this     vulnerability exists because of an incorrect fix for     CVE-2011-4108. (CVE-2012-0050)

  - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c     in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1     before 1.0.1a does not properly interpret integer data,     which allows remote attackers to conduct buffer overflow     attacks, and cause a denial of service (memory     corruption) or possibly have unspecified other impact,     via crafted DER data, as demonstrated by an X.509     certificate or an RSA public key. (CVE-2012-2110)

  - The ssl3_take_mac function in ssl/s3_both.c in OpenSSL     1.0.1 before 1.0.1f allows remote TLS servers to cause a     denial of service (NULL pointer dereference and     application crash) via a crafted Next Protocol     Negotiation record in a TLS handshake. (CVE-2013-4353)

  - The ssl_get_algorithm2 function in ssl/s3_lib.c in     OpenSSL before 1.0.2 obtains a certain version number     from an incorrect data structure, which allows remote     attackers to cause a denial of service (daemon crash)     via crafted traffic from a TLS 1.2 client.
    (CVE-2013-6449)

  - The DTLS retransmission implementation in OpenSSL 1.0.0     before 1.0.0l and 1.0.1 before 1.0.1f does not properly     maintain data structures for digest and encryption     contexts, which might allow man-in-the-middle attackers     to trigger the use of a different context and cause a     denial of service (application crash) by interfering     with packet delivery, related to ssl/d1_both.c and     ssl/t1_enc.c. (CVE-2013-6450)

  - An information disclosure flaw was found in the way     OpenSSL handled TLS and DTLS Heartbeat Extension     packets. A malicious TLS or DTLS client or server could     send a specially crafted TLS or DTLS Heartbeat packet to     disclose a limited portion of memory per request from a     connected client or server. Note that the disclosed     portions of memory could potentially include sensitive     information such as private keys. (CVE-2014-0160)

  - A flaw was found in the way SSL 3.0 handled padding     bytes when decrypting messages encrypted using block     ciphers in cipher block chaining (CBC) mode. This flaw     allows a man-in-the-middle (MITM) attacker to decrypt a     selected byte of a cipher text in as few as 256 tries if     they are able to force a victim application to     repeatedly send the same data over newly created SSL 3.0     connections. (CVE-2014-3566)

  - A flaw was found in the way the DES/3DES cipher was used     as part of the TLS/SSL protocol. A man-in-the-middle     attacker could use this flaw to recover some plaintext     data by capturing large amounts of encrypted traffic     between TLS/SSL server and client if the communication     used a DES/3DES based ciphersuite. (CVE-2016-2183)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has openssl098e packages installed that are affected by multiple vulnerabilities:

  - OpenSSL 0.9.7 before 0.9.7l and 0.9.8 before 0.9.8d     allows remote attackers to cause a denial of service     (infinite loop and memory consumption) via malformed     ASN.1 structures that trigger an improperly handled     error condition. (CVE-2006-2937)

  - OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and     earlier versions allows attackers to cause a denial of     service (CPU consumption) via parasitic public keys with     large (1) public exponent or (2) public modulus     values in X.509 certificates that require extra time to     process when using RSA signature verification.
    (CVE-2006-2940)

  - Buffer overflow in the SSL_get_shared_ciphers function     in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and     earlier versions has unspecified impact and remote     attack vectors involving a long list of ciphers.
    (CVE-2006-3738)

  - OpenSSL before 0.9.7, 0.9.7 before 0.9.7k, and 0.9.8     before 0.9.8c, when using an RSA key with exponent 3,     removes PKCS-1 padding before generating a hash, which     allows remote attackers to forge a PKCS #1 v1.5     signature that is signed by that RSA key and prevents     OpenSSL from correctly verifying X.509 and other     certificates that use PKCS #1. (CVE-2006-4339)

  - The get_server_hello function in the SSLv2 client code     in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and     earlier versions allows remote servers to cause a denial     of service (client crash) via unknown vectors that     trigger a null pointer dereference. (CVE-2006-4343)

  - The BN_from_montgomery function in crypto/bn/bn_mont.c     in OpenSSL 0.9.8e and earlier does not properly perform     Montgomery multiplication, which might allow local users     to conduct a side-channel attack and retrieve RSA     private keys. (CVE-2007-3108)

  - Off-by-one error in the DTLS implementation in OpenSSL     0.9.8 before 0.9.8f allows remote attackers to execute     arbitrary code via unspecified vectors. (CVE-2007-4995)

  - Off-by-one error in the SSL_get_shared_ciphers function     in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f,     might allow remote attackers to execute arbitrary code     via a crafted packet that triggers a one-byte buffer     underflow. NOTE: this issue was introduced as a result     of a fix for CVE-2006-3738. As of 20071012, it is     unknown whether code execution is possible.
    (CVE-2007-5135)

  - OpenSSL 0.9.8i and earlier does not properly check the     return value from the EVP_VerifyFinal function, which     allows remote attackers to bypass validation of the     certificate chain via a malformed SSL/TLS signature for     DSA and ECDSA keys. (CVE-2008-5077)

  - The ASN1_STRING_print_ex function in OpenSSL before     0.9.8k allows remote attackers to cause a denial of     service (invalid memory access and application crash)     via vectors that trigger printing of a (1) BMPString or     (2) UniversalString with an invalid encoded length.
    (CVE-2009-0590)

  - The dtls1_buffer_record function in ssl/d1_pkt.c in     OpenSSL 0.9.8k and earlier 0.9.8 versions allows remote     attackers to cause a denial of service (memory     consumption) via a large series of future epoch DTLS     records that are buffered in a queue, aka DTLS record     buffer limitation bug. (CVE-2009-1377)

  - Multiple memory leaks in the     dtls1_process_out_of_seq_message function in     ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8     versions allow remote attackers to cause a denial of     service (memory consumption) via DTLS records that (1)     are duplicates or (2) have sequence numbers much greater     than current sequence numbers, aka DTLS fragment     handling memory leak. (CVE-2009-1378)

  - Use-after-free vulnerability in the     dtls1_retrieve_buffered_fragment function in     ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote     attackers to cause a denial of service (openssl s_client     crash) and possibly have unspecified other impact via a     DTLS packet, as demonstrated by a packet from a server     that uses a crafted server certificate. (CVE-2009-1379)

  - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote     attackers to cause a denial of service (NULL pointer     dereference and daemon crash) via a DTLS     ChangeCipherSpec packet that occurs before ClientHello.
    (CVE-2009-1386)

  - The dtls1_retrieve_buffered_fragment function in     ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows     remote attackers to cause a denial of service (NULL     pointer dereference and daemon crash) via an out-of-     sequence DTLS handshake message, related to a fragment     bug. (CVE-2009-1387)

  - The Network Security Services (NSS) library before     3.12.3, as used in Firefox; GnuTLS before 2.6.4 and     2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products     support MD2 with X.509 certificates, which might allow     remote attackers to spoof certificates by using MD2     design flaws to generate a hash collision in less than     brute-force time. NOTE: the scope of this issue is     currently limited because the amount of computation     required is still large. (CVE-2009-2409)

  - OpenSSL before 0.9.8m does not check for a NULL return     value from bn_wexpand function calls in (1)     crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3)     crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which     has unspecified impact and context-dependent attack     vectors. (CVE-2009-3245)

  - The TLS protocol, and the SSL protocol 3.0 and possibly     earlier, as used in Microsoft Internet Information     Services (IIS) 7.0, mod_ssl in the Apache HTTP Server     2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5     and earlier, Mozilla Network Security Services (NSS)     3.12.4 and earlier, multiple Cisco products, and other     products, does not properly associate renegotiation     handshakes with an existing connection, which allows     man-in-the-middle attackers to insert data into HTTPS     sessions, and possibly other types of sessions protected     by TLS or SSL, by sending an unauthenticated request     that is processed retroactively by a server in a post-     renegotiation context, related to a plaintext     injection attack, aka the Project Mogul issue.
    (CVE-2009-3555)

  - Memory leak in the zlib_stateful_finish function in     crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and     1.0.0 Beta through Beta 4 allows remote attackers to     cause a denial of service (memory consumption) via     vectors that trigger incorrect calls to the     CRYPTO_cleanup_all_ex_data function, as demonstrated by     use of SSLv3 and PHP with the Apache HTTP Server, a     related issue to CVE-2008-1678. (CVE-2009-4355)

  - The kssl_keytab_is_available function in ssl/kssl.c in     OpenSSL before 0.9.8n, when Kerberos is enabled but     Kerberos configuration files cannot be opened, does not     check a certain return value, which allows remote     attackers to cause a denial of service (NULL pointer     dereference and daemon crash) via SSL cipher     negotiation, as demonstrated by a chroot installation of     Dovecot or stunnel without Kerberos configuration files     inside the chroot. (CVE-2010-0433)

  - The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c     in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1     before 1.0.1a does not properly interpret integer data,     which allows remote attackers to conduct buffer overflow     attacks, and cause a denial of service (memory     corruption) or possibly have unspecified other impact,     via crafted DER data, as demonstrated by an X.509     certificate or an RSA public key. (CVE-2012-2110)

  - The TLS protocol 1.2 and earlier, as used in Mozilla     Firefox, Google Chrome, Qt, and other products, can     encrypt compressed data without properly obfuscating the     length of the unencrypted data, which allows man-in-the-     middle attackers to obtain plaintext HTTP headers by     observing length differences during a series of guesses     in which a string in an HTTP request potentially matches     an unknown string in an HTTP header, aka a CRIME     attack. (CVE-2012-4929)

  - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1     before 1.0.1d does not properly perform signature     verification for OCSP responses, which allows remote     OCSP servers to cause a denial of service (NULL pointer     dereference and application crash) via an invalid key.
    (CVE-2013-0166)

  - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0     and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and     other products, do not properly consider timing side-     channel attacks on a MAC check requirement during the     processing of malformed CBC padding, which allows remote     attackers to conduct distinguishing attacks and     plaintext-recovery attacks via statistical analysis of     timing data for crafted packets, aka the Lucky     Thirteen issue. (CVE-2013-0169)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the openssl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A NULL pointer dereference flaw was found in OpenSSL's     X.509 certificate handling implementation. A specially     crafted X.509 certificate could cause an application     using OpenSSL to crash if the application attempted to     convert the certificate to a certificate     request.(CVE-2015-0288)

  - Off-by-one error in the DTLS implementation in OpenSSL     0.9.8 before 0.9.8f allows remote attackers to execute     arbitrary code via unspecified vectors.(CVE-2007-4995)

  - An integer underflow flaw, leading to a buffer     overflow, was found in the way OpenSSL decoded     malformed Base64-encoded inputs. An attacker able to     make an application using OpenSSL decode a specially     crafted Base64-encoded input (such as a PEM file) could     use this flaw to cause the application to crash. Note:
    this flaw is not exploitable via the TLS/SSL protocol     because the data being transferred is not     Base64-encoded.(CVE-2015-0292)

  - OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled,     does not properly prevent modification of the     ciphersuite in the session cache, which allows remote     attackers to force the downgrade to an unintended     cipher via vectors involving sniffing network traffic     to discover a session identifier.(CVE-2010-4180)

  - OpenSSL before 0.9.8m does not check for a NULL return     value from bn_wexpand function calls in (1)     crypto/bn/bn_div.c, (2) crypto/bn/bn_gf2m.c, (3)     crypto/ec/ec2_smpl.c, and (4) engines/e_ubsec.c, which     has unspecified impact and context-dependent attack     vectors.(CVE-2009-3245)

  - The Cryptographic Message Syntax (CMS) implementation     in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and     1.x before 1.0.0a does not properly handle structures     that contain OriginatorInfo, which allows     context-dependent attackers to modify invalid memory     locations or conduct double-free attacks, and possibly     execute arbitrary code, via unspecified     vectors.(CVE-2010-0742)

  - Race condition in the ssl3_read_bytes function in     s3_pkt.c in OpenSSL through 1.0.1g, when     SSL_MODE_RELEASE_BUFFERS is enabled, allows remote     attackers to inject data across sessions or cause a     denial of service (use-after-free and parsing error)     via an SSL connection in a multithreaded     environment.(CVE-2010-5298)

  - The BN_from_montgomery function in crypto/bn/bn_mont.c     in OpenSSL 0.9.8e and earlier does not properly perform     Montgomery multiplication, which might allow local     users to conduct a side-channel attack and retrieve RSA     private keys.(CVE-2007-3108)

  - A memory leak flaw was found in the way an OpenSSL     handled failed session ticket integrity checks. A     remote attacker could exhaust all available memory of     an SSL/TLS or DTLS server by sending a large number of     invalid session tickets to that server.(CVE-2014-3567)

  - It was discovered that OpenSSL would perform an ECDH     key exchange with a non-ephemeral key even when the     ephemeral ECDH cipher suite was selected. A malicious     server could make a TLS/SSL client using OpenSSL use a     weaker key exchange method than the one requested by     the user.(CVE-2014-3572)

  - A denial of service flaw was found in the way OpenSSL     handled certain DTLS ServerHello requests. A specially     crafted DTLS handshake packet could cause a DTLS client     using OpenSSL to crash.(CVE-2014-0221)

  - A NULL pointer dereference was found in the way OpenSSL     handled certain PKCS#7 inputs. An attacker able to make     an application using OpenSSL verify, decrypt, or parse     a specially crafted PKCS#7 input could cause that     application to crash. TLS/SSL clients and servers using     OpenSSL were not affected by this flaw.(CVE-2015-1790)

  - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0     and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and     other products, do not properly consider timing     side-channel attacks on a MAC check requirement during     the processing of malformed CBC padding, which allows     remote attackers to conduct distinguishing attacks and     plaintext-recovery attacks via statistical analysis of     timing data for crafted packets, aka the 'Lucky     Thirteen' issue.(CVE-2013-0169)

  - OpenSSL 0.9.8i and earlier does not properly check the     return value from the EVP_VerifyFinal function, which     allows remote attackers to bypass validation of the     certificate chain via a malformed SSL/TLS signature for     DSA and ECDSA keys.(CVE-2008-5077)

  - The TLS protocol, and the SSL protocol 3.0 and possibly     earlier, as used in Microsoft Internet Information     Services (IIS) 7.0, mod_ssl in the Apache HTTP Server     2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5     and earlier, Mozilla Network Security Services (NSS)     3.12.4 and earlier, multiple Cisco products, and other     products, does not properly associate renegotiation     handshakes with an existing connection, which allows     man-in-the-middle attackers to insert data into HTTPS     sessions, and possibly other types of sessions     protected by TLS or SSL, by sending an unauthenticated     request that is processed retroactively by a server in     a post-renegotiation context, related to a 'plaintext     injection' attack, aka the 'Project Mogul'     issue.(CVE-2009-3555)

  - Multiple memory leaks in the     dtls1_process_out_of_seq_message function in     ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8     versions allow remote attackers to cause a denial of     service (memory consumption) via DTLS records that (1)     are duplicates or (2) have sequence numbers much     greater than current sequence numbers, aka 'DTLS     fragment handling memory leak.'(CVE-2009-1378)

  - The dtls1_retrieve_buffered_fragment function in     ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows     remote attackers to cause a denial of service (NULL     pointer dereference and daemon crash) via an     out-of-sequence DTLS handshake message, related to a     'fragment bug.'(CVE-2009-1387)

  - There is a carry propagating bug in the x86_64     Montgomery squaring procedure in OpenSSL before 1.0.2m     and 1.1.0 before 1.1.0g. No EC algorithms are affected.
    Analysis suggests that attacks against RSA and DSA as a     result of this defect would be very difficult to     perform and are not believed likely. Attacks against DH     are considered just feasible (although very difficult)     because most of the work necessary to deduce     information about a private key may be performed     offline. The amount of resources required for such an     attack would be very significant and likely only     accessible to a limited number of attackers. An     attacker would additionally need online access to an     unpatched system using the target private key in a     scenario with persistent DH parameters and a private     key that is shared between multiple clients. This only     affects processors that support the BMI1, BMI2 and ADX     extensions like Intel Broadwell (5th generation) and     later or AMD Ryzen.(CVE-2017-3736)

  - A flaw was discovered in the way OpenSSL handled DTLS     packets. A remote attacker could use this flaw to cause     a DTLS server or client using OpenSSL to crash or use     excessive amounts of memory.(CVE-2014-3505)

  - The dtls1_reassemble_fragment function in d1_both.c in     OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1     before 1.0.1h does not properly validate fragment     lengths in DTLS ClientHello messages, which allows     remote attackers to execute arbitrary code or cause a     denial of service (buffer overflow and application     crash) via a long non-initial fragment.(CVE-2014-0195)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201412-11 (AMD64 x86 emulation base libraries: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in AMD64 x86 emulation       base libraries. Please review the CVE identifiers referenced below for       details.
  Impact :

    A context-dependent attacker may be able to execute arbitrary code,       cause a Denial of Service condition, or obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2007-0964 advisory.

    [0.9.8b-8.3.2]
     - more DTLS fixes (#321211)

     [0.9.8b-8.3.1]
     - fix CVE-2007-3108 - side channel attack on private keys (#322891)
     - fix CVE-2007-5135 - off-by-one in SSL_get_shared_ciphers (#309871)
     - fix CVE-2007-4995 - out of order DTLS fragments buffer overflow (#321211)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Datagram TLS (DTLS) is a protocol based on TLS that is capable of securing datagram transport (UDP for instance).

The OpenSSL security team discovered a flaw in DTLS support. An attacker could create a malicious client or server that could trigger a heap overflow. This is possibly exploitable to run arbitrary code, but it has not been verified (CVE-2007-5135). Note that this flaw only affects applications making use of DTLS. Scientific Linux does not ship any DTLS client or server applications.

A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer with a single byte (CVE-2007-4995). Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging.

A number of possible side-channel attacks were discovered affecting OpenSSL. A local attacker could possibly obtain RSA private keys being used on a system. In practice these attacks would be difficult to perform outside of a lab environment. This update contains backported patches designed to mitigate these issues. (CVE-2007-3108).

Users of OpenSSL should upgrade to these updated packages, which contain backported patches to resolve these issues.

Please note that the fix for the DTLS flaw involved an overhaul of the DTLS handshake processing which may introduce incompatibilities if a new client is used with an older server.

After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.

The version of OpenSSL installed on the remote host is prior to 0.9.8f. It is, therefore, affected by multiple vulnerabilities as referenced in the 0.9.8f advisory.

  - Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to     0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-     byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of     20071012, it is unknown whether code execution is possible. (CVE-2007-5135)

  - Off-by-one error in the DTLS implementation in OpenSSL 0.9.8 before 0.9.8f allows remote attackers to     execute arbitrary code via unspecified vectors. (CVE-2007-4995)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated OpenSSL packages that correct several security issues are now available for Red Hat Enterprise 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

OpenSSL is a toolkit that implements Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Datagram TLS (DTLS) is a protocol based on TLS that is capable of securing datagram transport (UDP for instance).

The OpenSSL security team discovered a flaw in DTLS support. An attacker could create a malicious client or server that could trigger a heap overflow. This is possibly exploitable to run arbitrary code, but it has not been verified (CVE-2007-4995). Note that this flaw only affects applications making use of DTLS. Red Hat does not ship any DTLS client or server applications in Red Hat Enterprise Linux.

A flaw was found in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer with a single byte (CVE-2007-5135). Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging.

A number of possible side-channel attacks were discovered affecting OpenSSL. A local attacker could possibly obtain RSA private keys being used on a system. In practice these attacks would be difficult to perform outside of a lab environment. This update contains backported patches designed to mitigate these issues. (CVE-2007-3108).

Users of OpenSSL should upgrade to these updated packages, which contain backported patches to resolve these issues.

Please note that the fix for the DTLS flaw involved an overhaul of the DTLS handshake processing which may introduce incompatibilities if a new client is used with an older server.

After installing this update, users are advised to either restart all services that use OpenSSL or restart their system.

A buffer overflow in the DTLS implementation of openssl could be exploited by attackers to potentially execute arbitrary code.
(CVE-2007-4995)

A buffer overflow in the DTLS implementation of OpenSSL 0.9.8 could be exploited by attackers to potentially execute arbitrary code. It is questionable as to whether the DTLS support even worked or is used in any applications; as a result this flaw most likely does not affect most Mandriva users.

The updated packages have been patched to correct these issue.

Andy Polyakov discovered that the DTLS implementation in OpenSSL was vulnerable. A remote attacker could send a specially crafted connection request to services using DTLS and execute arbitrary code with the service's privileges. There are no known Ubuntu applications that are currently using DTLS.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This is important security update.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200710-30 (OpenSSL: Remote execution of arbitrary code)

    Andy Polyakov reported a vulnerability in the OpenSSL toolkit, that is     caused due to an unspecified off-by-one error within the DTLS     implementation.
  Impact :

    A remote attacker could exploit this issue to execute arbitrary code or     cause a Denial of Service. Only clients and servers explicitly using     DTLS are affected, systems using SSL and TLS are not.
  Workaround :

    There is no known workaround at this time.

A buffer overflow in the DTLS implementation of openssl could be exploited by attackers to potentially execute arbitrary code (CVE-2007-4995).

- Fri Oct 12 2007 Tomas Mraz <tmraz at redhat.com>     0.9.8b-15

    - fix CVE-2007-5135 - off-by-one in       SSL_get_shared_ciphers (#309801)

    - fix CVE-2007-4995 - out of order DTLS fragments buffer       overflow (#321191)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is using a version of OpenSSL that is older than 0.9.7n or 0.9.8f.  There are several bugs in this version of OpenSSL that may allow an attacker to either execute remote code or cause a Denial of Service (DoS). 

ID	Name	Product	Family	Severity
127201	NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl Multiple Vulnerabilities (NS-SA-2019-0033)	Nessus	NewStart CGSL Local Security Checks	high
127177	NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl098e Multiple Vulnerabilities (NS-SA-2019-0020)	Nessus	NewStart CGSL Local Security Checks	critical
125000	EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1547)	Nessus	Huawei Local Security Checks	medium
79964	GLSA-201412-11 : AMD64 x86 emulation base libraries: Multiple vulnerabilities (Heartbleed)	Nessus	Gentoo Local Security Checks	critical
67585	Oracle Linux 5 : Important: / openssl (ELSA-2007-0964)	Nessus	Oracle Linux Local Security Checks	critical
60267	Scientific Linux Security Update : openssl on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
17760	OpenSSL 0.9.8 < 0.9.8f Multiple Vulnerabilities	Nessus	Web Servers	critical
43658	CentOS 5 : openssl (CESA-2007:0964)	Nessus	CentOS Local Security Checks	high
29545	SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 4559)	Nessus	SuSE Local Security Checks	high
29234	Mandrake Linux Security Advisory : openssl (MDKSA-2007:237)	Nessus	Mandriva Local Security Checks	high
28140	Ubuntu 6.06 LTS / 6.10 / 7.04 / 7.10 : openssl vulnerability (USN-534-1)	Nessus	Ubuntu Local Security Checks	high
27777	Fedora 7 : openssl-0.9.8b-15.fc7 (2007-2530)	Nessus	Fedora Local Security Checks	high
27592	GLSA-200710-30 : OpenSSL: Remote execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
27531	openSUSE 10 Security Update : libopenssl-devel (libopenssl-devel-4560)	Nessus	SuSE Local Security Checks	high
27061	Fedora Core 6 : openssl-0.9.8b-15.fc6 (2007-725)	Nessus	Fedora Local Security Checks	high
27052	RHEL 5 : openssl (RHSA-2007:0964)	Nessus	Red Hat Local Security Checks	high
4221	OpenSSL < 0.9.8f Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
801056	OpenSSL < 0.9.8f Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high

Detections

Analytics

CVE-2007-4995

critical

Tenable Plugins

high

critical

medium

critical

critical

high

critical

high

high

high

high

high

high

high

high

high

medium

high