OpenSSL < 0.9.8o / 1.0.0a Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 5559

Synopsis

The remote web server is vulnerable to multiple attack vectors.

Description

Versions of OpenSSL earlier than 0.9.8o and 1.0.0a are potentially affected by multiple vulnerabilities :

- CMS structures containing 'OriginatorInfo' are mishandled which can cause the application to write to invalid memory addresses or free up memory twice. Note that this only affects OpenSSL with CMS code present. (CVE-2010-0742)

- When verification recovery fails for RSA keys, an uninitialized buffer with an undefined length is returned instead of an error code. Note that this only affects OpenSSL 1.0.0. (CVE-2010-1633)

Solution

Upgrade to OpenSSL 0.9.8o, 1.0.0, or later.

See Also

http://www.openssl.org/news/secadv_20100601.txt

Plugin Details

Severity: High

ID: 5559

Family: Web Servers

Published: 6/2/2010

Updated: 3/6/2019

Nessus ID: 46801

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:openssl:openssl

Patch Publication Date: 6/1/2010

Vulnerability Publication Date: 6/1/2010

Reference Information

CVE: CVE-2010-0742, CVE-2010-1633

BID: 40502, 40503