{"vuid":"VU#520586","idnumber":"520586","name":"OpenSSL TLS handshake Denial of Service","keywords":["OpenSSL","DoS","denial of service","server name extension data","Server Key exchange message","TLS handshake"],"overview":"A vulnerability exists in OpenSSL that may allow a remote attacker to cause a denial of service.","clean_desc":"OpenSSL contains a vulnerability in the way specially crafted TLS handshake packets are handled that may result in a denial of service. According to OpenSSL Security Advisory [28-Mar-2008]: ... if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash. Note that this issue may affect OpenSSL versions prior to  0.9.8h.","impact":"A remote, unauthorized attacker may be able to cause a denial of service.","resolution":"Upgrade or Apply Patch\nOpenSSL has issued an upgrade and a patch to address this issue. See OpenSSL Security Advisory [28-Mar-2008] for more information. OpenSSL is included in various Linux and UNIX distributions. Please consult the relevant documentation of your distribution to obtain the appropriate updates.","workarounds":"","sysaffected":"","thanks":"This issue was reported in \nOpenSSL Security Advisory [28-Mar-2008]\n. OpenSSL credits Codenomicon for reporting these issues.","author":"This document was written by Chris Taschner.","public":["http://www.securityfocus.com/bid/29405","http://cert.fi/haavoittuvuudet/2008/advisory-openssl.html","http://secunia.com/advisories/30405/","http://www.openssl.org/news/secadv_20080528.txt"],"cveids":["CVE-2008-1672"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2008-05-30T04:00:00Z","publicdate":"2008-05-28T00:00:00Z","datefirstpublished":"2008-05-30T17:34:59Z","dateupdated":"2008-05-30T17:37:13Z","revision":10,"vrda_d1_directreport":"1","vrda_d1_population":"4","vrda_d1_impact":"2","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"20","cam_impact":"7","cam_easeofexploitation":"14","cam_attackeraccessrequired":"16","cam_scorecurrent":"14.7","cam_scorecurrentwidelyknown":"17.64","cam_scorecurrentwidelyknownexploited":"29.4","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":14.7,"vulnote":null}