Detections
Analytics
OpenSSL 0.9.8f < 0.9.8h Multiple Vulnerabilities
high Nessus Plugin ID 56996
Language:
Synopsis
The remote service is affected by multiple vulnerabilities.Description
The version of OpenSSL installed on the remote host is prior to 0.9.8h. It is, therefore, affected by multiple vulnerabilities as referenced in the 0.9.8h advisory.- OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses particular cipher suites, which triggers a NULL pointer dereference. (CVE-2008-1672)
- Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE:
some of these details are obtained from third party information. (CVE-2008-0891)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to OpenSSL version 0.9.8h or later.See Also
https://www.cve.org/CVERecord?id=CVE-2008-0891
Plugin Details
Severity: High
ID: 56996
File Name: openssl_0_9_8h.nasl
Version: 1.17
Type: combined
Agent: windows, macosx, unix
Family: Web Servers
Published: 12/2/2011
Updated: 10/23/2024
Configuration: Enable thorough checks
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.2
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P
CVSS Score Source: CVE-2008-1672
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:openssl:openssl
Required KB Items: installed_sw/OpenSSL
Exploit Ease: No known exploits are available
Patch Publication Date: 5/28/2008
Vulnerability Publication Date: 5/28/2008
Reference Information
CVE: CVE-2008-0891, CVE-2008-1672