// For flags

CVE-2009-1378

OpenSSL: DTLS fragment handling memory DoS

Severity Score

5.0
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

2
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."

Múltiples fugas de memoria en la función dtls1_process_out_of_seq_message en ssl/d1_both.c en OpenSSL v0.9.8k y anteriores permite a atacantes remotos producir una denegación de servicio (consumo de memoria) a través de registros DTLS que (1) son duplicados o (2) tienen una secuencia de números mucho mayor que la actual secuencia de números, conocido también como "fuga de memoria en el manejo de fragmentos DTLS".

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-04-23 CVE Reserved
  • 2009-05-19 CVE Published
  • 2024-02-08 EPSS Updated
  • 2024-08-07 CVE Updated
  • 2024-08-07 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-401: Missing Release of Memory after Effective Lifetime
CAPEC
References (37)
URL Tag Source
http://lists.vmware.com/pipermail/security-announce/2010/000082.html Mailing List
http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest Broken Link
http://secunia.com/advisories/35128 Not Applicable
http://secunia.com/advisories/35416 Not Applicable
http://secunia.com/advisories/35461 Not Applicable
http://secunia.com/advisories/35571 Not Applicable
http://secunia.com/advisories/35729 Not Applicable
http://secunia.com/advisories/36533 Not Applicable
http://secunia.com/advisories/37003 Not Applicable
http://secunia.com/advisories/38761 Not Applicable
http://secunia.com/advisories/38794 Not Applicable
http://secunia.com/advisories/38834 Not Applicable
http://secunia.com/advisories/42724 Not Applicable
http://secunia.com/advisories/42733 Not Applicable
http://sourceforge.net/mailarchive/message.php?msg_name=4AD43807.7080105%40users.sourceforge.net Broken Link
http://voodoo-circle.sourceforge.net/sa/sa-20091012-01.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/05/18/1 Mailing List
http://www.securityfocus.com/bid/35001 Broken Link
http://www.securitytracker.com/id?1022241 Broken Link
https://kb.bluecoat.com/index?page=content&id=SA50 Broken Link
https://launchpad.net/bugs/cve/2009-1378 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11309 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7229 Broken Link
URL Date SRC
http://marc.info/?l=openssl-dev&m=124263491424212&w=2 2024-08-07
https://www.exploit-db.com/exploits/8720 2024-08-07
URL Date SRC
http://cvs.openssl.org/chngview?cn=18188 2024-02-07
http://marc.info/?l=openssl-dev&m=124247679213944&w=2 2024-02-07
URL Date SRC
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc 2024-02-07
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444 2024-02-07
http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html 2024-02-07
http://security.gentoo.org/glsa/glsa-200912-01.xml 2024-02-07
http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049 2024-02-07
http://www.mandriva.com/security/advisories?name=MDVSA-2009:120 2024-02-07
http://www.redhat.com/support/errata/RHSA-2009-1335.html 2024-02-07
http://www.ubuntu.com/usn/USN-792-1 2024-02-07
https://access.redhat.com/security/cve/CVE-2009-1378 2009-09-02
https://bugzilla.redhat.com/show_bug.cgi?id=501254 2009-09-02
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 > 0.9.8 < 0.9.8m
Search vendor "Openssl" for product "Openssl" and version " > 0.9.8 < 0.9.8m"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 6.06
Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 8.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 8.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "8.10"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 9.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "9.04"
-
Affected