Vigil@nce: OpenSSL, denial of service via DTLS
May 2009 by Vigil@nce
An attacker can create a denial of service on applications using
OpenSSL with DTLS.
– Severity: 2/4
– Consequences: denial of service of service
– Provenance: internet client
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 3
– Creation date: 18/05/2009
– Revision date: 19/05/2009
IMPACTED PRODUCTS
– Mandriva Linux
– OpenSSL
DESCRIPTION OF THE VULNERABILITY
The DTLS (Datagram Transport Layer Security) protocol, based on
TLS, provides a cryptographic layer over the UDP protocol. OpenSSL
implements DTLS since version 0.9.8. Three DTLS vulnerabilities
were announced.
When a DTLS packet indicates a date in the future, OpenSSL keeps
it in memory to handle it later. However, there is no limit on the
number of packets kept in memory. An attacker can therefore send
several packets in order to progressively force OpenSSL to use all
system memory. [grav:2/4; BID-35001, CVE-2009-1377]
Fragmented DTLS packet with a sequence number superior to the
expected number are kept in memory by the dtls1_process_out_of_seq_message()
function, in order to wait for intermediary packets. However,
there is no limit on the number of packets to keep in memory, nor
on the allowed advance. An attacker can therefore send several
fragmented packets in order to force OpenSSL to use all available
memory. [grav:2/4; BID-35001, CVE-2009-1378]
In some cases, the ssl/d1_both.c file uses the "frag" variable
which was freed. An attacker can therefore send a fragmented
message in order to generate a denial of service. [grav:1/4;
CVE-2009-1379]
An attacker can therefore create a denial of service on
applications using OpenSSL with DTLS.
CHARACTERISTICS
– Identifiers: BID-35001, CVE-2009-1377, CVE-2009-1378,
CVE-2009-1379, MDVSA-2009:120, VIGILANCE-VUL-8719
– Url: http://vigilance.fr/vulnerability/OpenSSL-denial-of-service-via-DTLS-8719