CVE-2010-4252
https://notcve.org/view.php?id=CVE-2010-4252
OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol. OpenSSL en versiones anteriores a la 1.0.0c, si J-PAKE está activado, no valida apropiadamente los parámetros públicos en el protocolo J-PAKE, lo que permite a atacantes remotos evitar la necesidad de saber el secreto compartido y validarse con éxito, enviando valores modificados en cada ronda del protocolo. • http://cvs.openssl.org/chngview?cn=20098 http://marc.info/?l=bugtraq&m=129916880600544&w=2 http://marc.info/?l=bugtraq&m=130497251507577&w=2 http://openssl.org/news/secadv_20101202.txt http://seb.dbzteam.org/crypto/jpake-session-key-retrieval.pdf http://secunia.com/advisories/42469 http://secunia.com/advisories/57353 http://securitytracker.com/id?1024823 http://slackware.com/security/viewer.php? • CWE-287: Improper Authentication •
CVE-2010-3864 – OpenSSL TLS extension parsing race condition
https://notcve.org/view.php?id=CVE-2010-3864
Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography. Múltiples vulnerabilidades de condición de carrera en ssl/t1_lib.c en OpenSSL v0.9.8f a la v0.9.8o, v1.0.0, y v1.0.0a, cuando la multi-hilo la caché interna está activada en el servidor TLS, podría permitir a atacantes remotos ejecutar código de su elección a través de datos del cliente que provocan un desbordamiento de búfer basado en memoria dinámica (heap), relacionado con (1)el nombre de extensión del servidor TLS y (2) la curva elíptica criptográfica. • http://blogs.sun.com/security/entry/cve_2010_3864_race_condition http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777 http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051170.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051237.html http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051255.html http://lists.opensuse.org/opensuse-security • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2010-2939 – OpenSSL - 'ssl3_get_key_exchange()' Use-After-Free Memory Corruption
https://notcve.org/view.php?id=CVE-2010-2939
Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue. Vulnerabilidad de doble liberación en la función ssl3_get_key_exchange en el cliente OpenSSL (ssl/s3_clnt.c) de OpenSSL v1.0.0a, v0.9.8, v0.9.7, y posiblemente otras versiones, cuando usa ECDH, permite a atacantes depediendo del contexto provocar una denegación de servicio (caída) y posiblemente ejecutar código a su elección a través de claves privadas manipuladas con un número no válido. NOTA: algunas fuentes se refieren a esto como un problema de uso después de la liberación. • https://www.exploit-db.com/exploits/34427 http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html http://marc.info/?l=bugtraq&m=130331363227777&w=2 http://seclists.org/fulldisclosure/2010/Aug/84 http://secunia.com/advisories/40906 http://secunia.com/advisories/41105 http://secunia.com/advisories/42309 http://secunia.com/advisories/42413 http://secunia.com/advisories/43312 http://security.FreeBSD.org/advisories/FreeBSD-SA-10:10.openssl.asc http://securitytra • CWE-399: Resource Management Errors •
CVE-2010-0742
https://notcve.org/view.php?id=CVE-2010-0742
The Cryptographic Message Syntax (CMS) implementation in crypto/cms/cms_asn1.c in OpenSSL before 0.9.8o and 1.x before 1.0.0a does not properly handle structures that contain OriginatorInfo, which allows context-dependent attackers to modify invalid memory locations or conduct double-free attacks, and possibly execute arbitrary code, via unspecified vectors. Vulnerabilidad en la implemtanción "Cryptographic Message Syntax" (CMS) en "crypto/cms/cms_asn1.c" en OpenSSL anterior a v0.9.8o y v1.x anterior a v1.0.0a no maneja correctamente estructuras que contienen "OriginatorInfo" las cuales permiten a atacantes dependientes del contexto modificar direcciones inválidas de memoria o llevar a cabo ataques de liberación doble con posibilidad de ejecutar código aleatorio a través de vectores sin especificar. • http://cvs.openssl.org/chngview?cn=19693 http://cvs.openssl.org/filediff?f=openssl/crypto/cms/cms_asn1.c&v1=1.8&v2=1.8.6.1 http://marc.info/?l=bugtraq&m=129138643405740&w=2 http://rt.openssl.org/Ticket/Display.html?id=2211&user=guest&pass=guest http://secunia.com/advisories/40000 http://secunia.com/advisories/40024 http://secunia.com/advisories/42457 http://secunia.com/advisories/42724 http://secunia.com/advisories/42733 http://secunia.com/advisories/57353 • CWE-310: Cryptographic Issues •
CVE-2010-0740 – OpenSSL - Remote Denial of Service
https://notcve.org/view.php?id=CVE-2010-0740
The ssl3_get_record function in ssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer dereference, related to the minor version number. NOTE: some of these details are obtained from third party information. La función ssl3_get_record en ssl/s3_pkt.c en OpenSSL v0.9.8f hasta v0.9.8m permite a atacantes remotos provocar una denegación de servicio (caída) a través de un registro mal formado en una conexión TLS que provoca una desreferencia a puntero NULL, relativo al número de versión menor. NOTA: algunos de estos detalles se han obtenido de información de terceras personas. • https://www.exploit-db.com/exploits/12334 http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038587.html http://marc.info/?l=bugtraq&m=127128920008563&w=2 http://marc.info/?l=bugtraq&m=127557640302499&w=2 http://secunia.com/advisories/39932 http://secunia.com/advisories/42724 http://secunia.com/advisories/42733 http: • CWE-20: Improper Input Validation •