Actu
Vigil@nce - OpenSSL: denial of service via TLS 1.2
January 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use TLS 1.2 with an application linked to OpenSSL,
in order to trigger a denial of service.
Impacted products: Debian, Fedora, OpenSSL, openSUSE
Severity: 2/4
Creation date: 23/12/2013
DESCRIPTION OF THE VULNERABILITY
The OpenSSL library supports versions 1.0 to 1.2 of TLS.
The ssl_get_algorithm2() function of the ssl/s3_lib.c file obtains
the version of the current session. However, this function uses a
structure which is not always up to date. An internal error thus
occurs.
An attacker can therefore use TLS 1.2 with an application linked
to OpenSSL, in order to trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-denial-of-service-via-TLS-1-2-13978
