CVE-2009-1378

Severity

50%

Complexity

99%

Confidentiality

48%

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P).

Overview

First reported 15 years ago

2009-05-19 19:30:00

Last updated 7 years ago

2017-09-29 01:34:00

Affected Software

OpenSSL Project OpenSSL 0.9.8a

0.9.8a

OpenSSL Project OpenSSL 0.9.8b

0.9.8b

OpenSSL Project OpenSSL 0.9.8c

0.9.8c

OpenSSL Project OpenSSL 0.9.8d

0.9.8d

OpenSSL Project OpenSSL 0.9.8e

0.9.8e

OpenSSL Project OpenSSL 0.9.8f

0.9.8f

OpenSSL Project OpenSSL 0.9.8g

0.9.8g

OpenSSL Project OpenSSL 0.9.8h

0.9.8h

OpenSSL Project OpenSSL 0.9.8i

0.9.8i

OpenSSL Project OpenSSL 0.9.8j

0.9.8j

OpenSSL Project OpenSSL

References

NetBSD-SA2009-009

http://cvs.openssl.org/chngview?cn=18188

Patch

SSRT100079

SUSE-SR:2009:011

[security-announce] 20100303 VMSA-2010-0004 ESX Service Console and vMA third party updates

[openssl-dev] 20090516 [openssl.org #1931] [PATCH] DTLS fragment handling memory leak

Patch

[openssl-dev] 20090518 Re: [openssl.org #1931] [PATCH] DTLS fragment handling memory leak

Exploit

http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest

Patch

35128

Vendor Advisory

35416

35461

35571

35729

36533

37003

38761

38794

38834

42724

42733

GLSA-200912-01

SSA:2010-060-02

http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net

http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html

MDVSA-2009:120

[oss-security] 20090518 Two OpenSSL DTLS remote DoS

RHSA-2009:1335

35001

1022241

USN-792-1

ADV-2009-1377

ADV-2010-0528

https://kb.bluecoat.com/index?page=content&id=SA50

https://launchpad.net/bugs/cve/2009-1378

oval:org.mitre.oval:def:11309

oval:org.mitre.oval:def:7229

8720

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.