// For flags

CVE-2009-1386

OpenSSL < 0.9.8i - DTLS ChangeCipherSpec Remote Denial of Service

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.

ssl/s3_pkt.c en OpenSSL anteriores a v0.9.8i permite a los atacantes remotos, causar una denegación de servicios (puntero NULO desreferenciado y caída del "daemon"), a través de un paquete ChangeCipherSpec DTLs que ocurre antes de ClientHello.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2009-04-23 CVE Reserved
  • 2009-06-04 CVE Published
  • 2024-08-07 CVE Updated
  • 2024-08-07 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-476: NULL Pointer Dereference
CAPEC
References (23)
URL Tag Source
http://lists.vmware.com/pipermail/security-announce/2010/000082.html Mailing List
http://secunia.com/advisories/35571 Not Applicable
http://secunia.com/advisories/35685 Not Applicable
http://secunia.com/advisories/35729 Not Applicable
http://secunia.com/advisories/36533 Not Applicable
http://secunia.com/advisories/38794 Not Applicable
http://secunia.com/advisories/38834 Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/06/02/1 Mailing List
https://exchange.xforce.ibmcloud.com/vulnerabilities/50963 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11179 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7469 Broken Link
URL Date SRC
https://packetstorm.news/files/id/180494 2024-08-31
https://www.exploit-db.com/exploits/8873 2024-08-07
http://www.securityfocus.com/bid/35174 2024-08-07
URL Date SRC
http://cvs.openssl.org/chngview?cn=17369 2024-02-07
URL Date SRC
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc 2024-02-07
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444 2024-02-07
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html 2024-02-07
http://rt.openssl.org/Ticket/Display.html?id=1679&amp;user=guest&amp;pass=guest 2024-02-07
http://www.redhat.com/support/errata/RHSA-2009-1335.html 2024-02-07
http://www.ubuntu.com/usn/USN-792-1 2024-02-07
https://access.redhat.com/security/cve/CVE-2009-1386 2009-09-02
https://bugzilla.redhat.com/show_bug.cgi?id=503685 2009-09-02
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 > 0.9.8 < 0.9.8i
Search vendor "Openssl" for product "Openssl" and version " > 0.9.8 < 0.9.8i"
-
Affected
Redhat
Search vendor "Redhat"
 Openssl
Search vendor "Redhat" for product "Openssl"
 0.9.6-15
Search vendor "Redhat" for product "Openssl" and version "0.9.6-15"
-
Affected
Redhat
Search vendor "Redhat"
 Openssl
Search vendor "Redhat" for product "Openssl"
 0.9.6b-3
Search vendor "Redhat" for product "Openssl" and version "0.9.6b-3"
-
Affected
Redhat
Search vendor "Redhat"
 Openssl
Search vendor "Redhat" for product "Openssl"
 0.9.7a-2
Search vendor "Redhat" for product "Openssl" and version "0.9.7a-2"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 6.06
Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 8.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 8.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "8.10"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 9.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "9.04"
-
Affected