CVE-2014-0195
OpenSSL DTLS Fragment Out-Of-Bounds Write Remote Code Execution Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
La función dtls1_reassemble_fragment en d1_both.c en OpenSSL anterior a 0.9.8za, 1.0.0 anterior a 1.0.0m y 1.0.1 anterior a 1.0.1h no valida debidamente longitudes de fragmentos en mensajes DTLS ClientHello, lo que permite a atacantes remotos ejecutar código arbitrario o causar una denegación de servicio (desbordamiento de buffer y caída de aplicación) a través de un fragmento no inicial largo.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OpenSSL. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of DTLS packets. The issue lies in the assumption that all fragments specify the same message size. An attacker could leverage this vulnerability to execute code in the context of the process using OpenSSL.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2013-12-03 CVE Reserved
- 2014-06-05 CVE Published
- 2014-06-10 First Exploit
- 2024-08-06 CVE Updated
- 2024-10-28 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CAPEC
References (128)
URL | Date | SRC |
---|---|---|
https://github.com/ricedu/CVE-2014-0195 | 2014-06-10 |
URL | Date | SRC |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=1103598 | 2014-06-10 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 0.9.8 < 0.9.8za Search vendor "Openssl" for product "Openssl" and version " >= 0.9.8 < 0.9.8za" | - |
Affected
| ||||||
Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 1.0.0 < 1.0.0m Search vendor "Openssl" for product "Openssl" and version " >= 1.0.0 < 1.0.0m" | - |
Affected
| ||||||
Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 1.0.1 < 1.0.1h Search vendor "Openssl" for product "Openssl" and version " >= 1.0.1 < 1.0.1h" | - |
Affected
| ||||||
Mariadb Search vendor "Mariadb" | Mariadb Search vendor "Mariadb" for product "Mariadb" | >= 10.0.0 < 10.0.13 Search vendor "Mariadb" for product "Mariadb" and version " >= 10.0.0 < 10.0.13" | - |
Affected
| ||||||
Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 42.1 Search vendor "Opensuse" for product "Leap" and version "42.1" | - |
Affected
| ||||||
Opensuse Search vendor "Opensuse" | Opensuse Search vendor "Opensuse" for product "Opensuse" | 13.2 Search vendor "Opensuse" for product "Opensuse" and version "13.2" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 19 Search vendor "Fedoraproject" for product "Fedora" and version "19" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 20 Search vendor "Fedoraproject" for product "Fedora" and version "20" | - |
Affected
|