English | Deutsch | Español
 
Startseite ▼
Startseite Über uns Kontact Datenschutz Partnerprogramme Zeugnisse In der Presse Mailinglisten Missbrauch Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Sicherheits
Überprüfungs ▼
Home Dediziert Erweitert Standard Wiederkehrend Risikolos Desktop Basis Sicherheits Segal FAQ Preis/Funktionszusammenfassung Bestellen Neue Anfälligkeiten Alle Anfälligkeiten Vertraulichkeit Anfälligkeiten Suche Durchführen Terminkalender IP Permissions Maßgeschneidert Warteschlange Erinnerer Siegel Berichte Berichts Stil
Verwaltetes
DNS ▼
Info Bestellen/Erneuern FAQ AUP Dynamic DNS Clients
Domaine konfigurieren Dyanmic DNS Update Password
Netzwerk
Überwachung ▼
Enterprise Erweiterte Standard Gratis Test FAQ Preis/Funktionszusammenfassung Bestellen Beispiele
Konfigurieren/Status Alarm Profile
Recherce
Berichte ▼
Home FAQ Glossary Archive
 Anmeldung/Registrierung 
 
 Anfälligkeitssuche        Suche in 219043 CVE Beschreibungen
und 99761 Test Beschreibungen,
Zugriff auf 10,000+ Quellverweise.
Tests   CVE   Alle  

Test Kennung:1.3.6.1.4.1.25623.1.0.806732
Kategorie:General
Titel:OpenSSL Multiple Vulnerabilities (20150319 - 2) - Windows
Zusammenfassung:OpenSSL is prone to multiple vulnerabilities.
Beschreibung:Summary:
OpenSSL is prone to multiple vulnerabilities.

Vulnerability Insight:
The following flaws exist:

- CVE-2015-1787: Empty CKE with client auth and DHE. If client auth is used then a server can seg
fault in the event of a DHE ciphersuite being selected and a zero length ClientKeyExchange message
being sent by the client. This could be exploited in a DoS attack.

- CVE-2015-0290: Multiblock corrupted pointer. OpenSSL 1.0.2 introduced the 'multiblock'
performance improvement. This feature only applies on 64 bit x86 architecture platforms that
support AES NI instructions. A defect in the implementation of 'multiblock' can cause OpenSSL's
internal write buffer to become incorrectly set to NULL when using non-blocking IO. Typically,
when the user application is using a socket BIO for writing, this will only result in a failed
connection. However if some other BIO is used then it is likely that a segmentation fault will be
triggered, thus enabling a potential DoS attack.

- CVE-2015-0291: ClientHello sigalgs DoS. If a client connects to an OpenSSL 1.0.2 server and
renegotiates with an invalid signature algorithms extension a NULL pointer dereference will occur.
This can be exploited in a DoS attack against the server.

- CVE-2015-0285: Under certain conditions an OpenSSL 1.0.2 client can complete a handshake with an
unseeded PRNG. If the handshake succeeds then the client random that has been used will have been
generated from a PRNG with insufficient entropy and therefore the output may be predictable.

- CVE-2015-0208: Segmentation fault for invalid PSS parameters. The signature verification
routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the
RSA PSS algorithm and invalid parameters. Since these routines are used to verify certificate
signature algorithms this can be used to crash any certificate verification operation and
exploited in a DoS attack. Any application which performs certificate verification is vulnerable
including OpenSSL clients and servers which enable client authentication.

- CVE-2015-0207: Segmentation fault in DTLSv1_listen. A defect in the implementation of
DTLSv1_listen means that state is preserved in the SSL object from one invocation to the next that
can lead to a segmentation fault. Errors processing the initial ClientHello can trigger this
scenario. An example of such an error could be that a DTLS1.0 only client is attempting to connect
to a DTLS1.2 only server.

Vulnerability Impact:
Successful exploitation will allow a remote
attacker to conduct brute-force attack, to cause a denial of service.

Affected Software/OS:
OpenSSL version 1.0.2.

Solution:
Update to version 1.0.2a or later.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Querverweis: BugTraq ID: 73238
BugTraq ID: 73226
BugTraq ID: 73235
BugTraq ID: 73234
BugTraq ID: 73229
Common Vulnerability Exposure (CVE) ID: CVE-2015-1787
http://www.securityfocus.com/bid/73238
https://security.gentoo.org/glsa/201503-11
HPdes Security Advisory: HPSBMU03380
http://marc.info/?l=bugtraq&m=143748090628601&w=2
HPdes Security Advisory: HPSBMU03397
http://marc.info/?l=bugtraq&m=144050297101809&w=2
HPdes Security Advisory: HPSBMU03409
http://marc.info/?l=bugtraq&m=144050155601375&w=2
http://www.securitytracker.com/id/1031929
Common Vulnerability Exposure (CVE) ID: CVE-2015-0290
http://www.securityfocus.com/bid/73226
Common Vulnerability Exposure (CVE) ID: CVE-2015-0291
http://www.securityfocus.com/bid/73235
Common Vulnerability Exposure (CVE) ID: CVE-2015-0285
http://www.securityfocus.com/bid/73234
Common Vulnerability Exposure (CVE) ID: CVE-2015-0208
BugTraq ID: 73230
http://www.securityfocus.com/bid/73230
Common Vulnerability Exposure (CVE) ID: CVE-2015-0207
http://www.securityfocus.com/bid/73229
CopyrightCopyright (C) 2015 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.

Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.



© 1998-2024 E-Soft Inc. Alle Rechte vorbehalten.