Vigil@nce - OpenSSL: NULL pointer dereference via ssl23_get_client_hello
January 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can force a NULL pointer to be dereferenced in
ssl23_get_client_hello() of OpenSSL, in order to trigger a denial
of service.
Impacted products: Debian, MBS, OpenSSL, Slackware
Severity: 2/4
Creation date: 29/12/2014
DESCRIPTION OF THE VULNERABILITY
The OpenSSL library can be compiled with the no-ssl3 option, in
order to disable SSLv3.
However, since the patch for the vulnerability
VIGILANCE-VUL-15491, if OpenSSL is compiled with no-ssl3 and
receives a SSL v3 Client Hello message, the
ssl23_get_client_hello() function of the ssl/s23_srvr.c file uses
a NULL pointer.
An attacker can therefore force a NULL pointer to be dereferenced
in ssl23_get_client_hello() of OpenSSL, in order to trigger a
denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-NULL-pointer-dereference-via-ssl23-get-client-hello-15882