The version of OpenSSL installed on the remote host is prior to 1.0.1h. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.0.1h advisory.

  - The dtls1_clear_queues function in ssl/d1_lib.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1     before 1.0.1h frees data structures without considering that application data can arrive between a     ChangeCipherSpec message and a Finished message, which allows remote DTLS peers to cause a denial of     service (memory corruption and application crash) or possibly have unspecified other impact via unexpected     application data. (CVE-2014-8176)

  - Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding     implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote     attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via     crafted base64 data that triggers a buffer overflow. (CVE-2015-0292)

  - OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing     of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length     master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain     sensitive information, via a crafted TLS handshake, aka the CCS Injection vulnerability. (CVE-2014-0224)

  - The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and     1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via     a DTLS hello message in an invalid DTLS handshake. (CVE-2014-0221)

  - The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and     1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows     remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application     crash) via a long non-initial fragment. (CVE-2014-0195)

  - The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m,     and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a     denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
    (CVE-2014-3470)

  - The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is     enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote     attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that     trigger an alert condition. (CVE-2014-0198)

  - Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when     SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a     denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
    (CVE-2010-5298)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

OpenSSL 1.0.1 < 1.0.1h Multiple Vulnerabilities

high Nessus Plugin ID 74364

Version 1.24

Version 1.23

Version 1.22

Version 1.21

Version 1.24 Oct 23, 2024, 3:47 PM Plugin metadata (update thorough_tests attribute) Plugin Feed: 202410231547
Version 1.23 Oct 7, 2024, 1:27 PM Plugin categorization (adding new 'component' to component plugins) Plugin Feed: 202410071327
Version 1.22 Jun 7, 2024, 4:47 PM CVE (set "CVE" coverage to "CVE-2010-5298,CVE-2014-0195,CVE-2014-0198,CVE-2014-0221,CVE-2014-0224,CVE-2014-3470,CVE-2014-8176,CVE-2015-0292") CVSS metrics ("CVSSv3 score" set to 7.4) CVSS metrics ("CVSSv3 vector" set to "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:F/RL:O/RC:C") CVSSv3 score source (set to "CVE-2014-0224") Detection (updated detection logic) Exploit attributes ("Exploit framework core" changed from "True" to none) Plugin metadata Plugin Feed: 202406071647
Version 1.21 Aug 21, 2023, 6:09 PM Plugin categorization Plugin requirements Plugin Feed: 202308211809