Vigil@nce - OpenSSL: NULL pointer dereference via ssl3_take_mac
January 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A malicious TLS server can send an invalid handshake to the
OpenSSL client, to dereference a NULL pointer, in order to trigger
a denial of service.
Impacted products: Debian, Fedora, FreeBSD, Copssh, OpenSSL,
openSUSE, RHEL, Slackware
Severity: 2/4
Creation date: 07/01/2014
DESCRIPTION OF THE VULNERABILITY
The OpenSSL library implements SSL/TLS, for clients and servers.
The ssl3_take_mac() function of the ssl/s3_both.c file is used by
clients to compute the Finished MAC. However, it does not check if
a pointer is NULL, before using it.
A malicious TLS server can therefore send an invalid handshake to
the OpenSSL client, to dereference a NULL pointer, in order to
trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-NULL-pointer-dereference-via-ssl3-take-mac-14029