// For flags

CVE-2014-0195

OpenSSL DTLS Fragment Out-Of-Bounds Write Remote Code Execution Vulnerability

Severity Score

6.8
*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.

La función dtls1_reassemble_fragment en d1_both.c en OpenSSL anterior a 0.9.8za, 1.0.0 anterior a 1.0.0m y 1.0.1 anterior a 1.0.1h no valida debidamente longitudes de fragmentos en mensajes DTLS ClientHello, lo que permite a atacantes remotos ejecutar código arbitrario o causar una denegación de servicio (desbordamiento de buffer y caída de aplicación) a través de un fragmento no inicial largo.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of OpenSSL. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of DTLS packets. The issue lies in the assumption that all fragments specify the same message size. An attacker could leverage this vulnerability to execute code in the context of the process using OpenSSL.

*Credits: Jüri Aedla
CVSS Scores
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2013-12-03 CVE Reserved
  • 2014-06-05 CVE Published
  • 2014-06-10 First Exploit
  • 2024-08-06 CVE Updated
  • 2024-10-28 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CAPEC
References (128)
URL Tag Source
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory9.asc Third Party Advisory
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048 Broken Link
http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002 Broken Link
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10629 Third Party Advisory
http://seclists.org/fulldisclosure/2014/Dec/23 Mailing List
http://secunia.com/advisories/58337 Not Applicable
http://secunia.com/advisories/58615 Not Applicable
http://secunia.com/advisories/58660 Not Applicable
http://secunia.com/advisories/58713 Not Applicable
http://secunia.com/advisories/58714 Not Applicable
http://secunia.com/advisories/58743 Not Applicable
http://secunia.com/advisories/58883 Not Applicable
http://secunia.com/advisories/58939 Not Applicable
http://secunia.com/advisories/58945 Not Applicable
http://secunia.com/advisories/58977 Not Applicable
http://secunia.com/advisories/59040 Not Applicable
http://secunia.com/advisories/59126 Not Applicable
http://secunia.com/advisories/59162 Not Applicable
http://secunia.com/advisories/59175 Not Applicable
http://secunia.com/advisories/59188 Not Applicable
http://secunia.com/advisories/59189 Not Applicable
http://secunia.com/advisories/59192 Not Applicable
http://secunia.com/advisories/59223 Not Applicable
http://secunia.com/advisories/59287 Not Applicable
http://secunia.com/advisories/59300 Not Applicable
http://secunia.com/advisories/59301 Not Applicable
http://secunia.com/advisories/59305 Not Applicable
http://secunia.com/advisories/59306 Not Applicable
http://secunia.com/advisories/59310 Not Applicable
http://secunia.com/advisories/59342 Not Applicable
http://secunia.com/advisories/59364 Not Applicable
http://secunia.com/advisories/59365 Not Applicable
http://secunia.com/advisories/59413 Not Applicable
http://secunia.com/advisories/59429 Not Applicable
http://secunia.com/advisories/59437 Not Applicable
http://secunia.com/advisories/59441 Not Applicable
http://secunia.com/advisories/59449 Not Applicable
http://secunia.com/advisories/59450 Not Applicable
http://secunia.com/advisories/59451 Not Applicable
http://secunia.com/advisories/59454 Not Applicable
http://secunia.com/advisories/59490 Not Applicable
http://secunia.com/advisories/59491 Not Applicable
http://secunia.com/advisories/59514 Not Applicable
http://secunia.com/advisories/59518 Not Applicable
http://secunia.com/advisories/59528 Not Applicable
http://secunia.com/advisories/59530 Not Applicable
http://secunia.com/advisories/59587 Not Applicable
http://secunia.com/advisories/59655 Not Applicable
http://secunia.com/advisories/59659 Not Applicable
http://secunia.com/advisories/59666 Not Applicable
http://secunia.com/advisories/59669 Not Applicable
http://secunia.com/advisories/59721 Not Applicable
http://secunia.com/advisories/59784 Not Applicable
http://secunia.com/advisories/59895 Not Applicable
http://secunia.com/advisories/59990 Not Applicable
http://secunia.com/advisories/60571 Not Applicable
http://secunia.com/advisories/61254 Not Applicable
http://support.apple.com/kb/HT6443 Third Party Advisory
http://support.citrix.com/article/CTX140876 Third Party Advisory
http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15356.html Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg400001841 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=isg400001843 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020163 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21673137 Broken Link
http://www-01.ibm.com/support/docview.wss?uid=swg21675821 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21676035 Broken Link
http://www-01.ibm.com/support/docview.wss?uid=swg21676062 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21676071 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21676419 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21676644 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21676879 Broken Link
http://www-01.ibm.com/support/docview.wss?uid=swg21676889 Broken Link
http://www-01.ibm.com/support/docview.wss?uid=swg21677527 Broken Link
http://www-01.ibm.com/support/docview.wss?uid=swg21677695 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21677828 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21678167 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21678289 Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21683332 Third Party Advisory
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095754 Third Party Advisory
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095755 Third Party Advisory
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095756 Third Party Advisory
http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095757 Third Party Advisory
http://www.blackberry.com/btsc/KB36051 Third Party Advisory
http://www.f-secure.com/en/web/labs_global/fsc-2014-6 Third Party Advisory
http://www.fortiguard.com/advisory/FG-IR-14-018 Third Party Advisory
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-345106.htm Third Party Advisory
http://www.ibm.com/support/docview.wss?uid=swg21676356 Third Party Advisory
http://www.ibm.com/support/docview.wss?uid=swg21676793 Broken Link
http://www.ibm.com/support/docview.wss?uid=swg24037783 Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html Third Party Advisory
http://www.securityfocus.com/archive/1/534161/100/0/threaded Mailing List
http://www.securityfocus.com/bid/67900 Third Party Advisory
http://www.securitytracker.com/id/1030337 Broken Link
http://www.vmware.com/security/advisories/VMSA-2014-0006.html Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2014-0012.html Third Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=1632ef744872edc2aa2a53d487d3e79c965a4ad3 X_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05301946 Third Party Advisory
https://kb.bluecoat.com/index?page=content&id=SA80 Broken Link
https://kc.mcafee.com/corporate/index?page=content&id=SB10075 Broken Link
https://www.novell.com/support/kb/doc.php?id=7015271 Third Party Advisory
URL Date SRC
https://github.com/ricedu/CVE-2014-0195 2014-06-10
URL Date SRC
https://bugzilla.redhat.com/show_bug.cgi?id=1103598 2014-06-10
URL Date SRC
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.html 2023-11-07
http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2015-04/msg00016.html 2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html 2023-11-07
http://marc.info/?l=bugtraq&m=140266410314613&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140317760000786&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140389274407904&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140389355508263&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140431828824371&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140448122410568&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140482916501310&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140491231331543&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140499827729550&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140621259019789&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140752315422991&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=140904544427729&w=2 2023-11-07
http://marc.info/?l=bugtraq&m=142660345230545&w=2 2023-11-07
http://security.gentoo.org/glsa/glsa-201407-05.xml 2023-11-07
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl 2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2014:106 2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062 2023-11-07
http://www.openssl.org/news/secadv_20140605.txt 2023-11-07
https://access.redhat.com/security/cve/CVE-2014-0195 2014-06-10
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 >= 0.9.8 < 0.9.8za
Search vendor "Openssl" for product "Openssl" and version " >= 0.9.8 < 0.9.8za"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 >= 1.0.0 < 1.0.0m
Search vendor "Openssl" for product "Openssl" and version " >= 1.0.0 < 1.0.0m"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 >= 1.0.1 < 1.0.1h
Search vendor "Openssl" for product "Openssl" and version " >= 1.0.1 < 1.0.1h"
-
Affected
Mariadb
Search vendor "Mariadb"
 Mariadb
Search vendor "Mariadb" for product "Mariadb"
 >= 10.0.0 < 10.0.13
Search vendor "Mariadb" for product "Mariadb" and version " >= 10.0.0 < 10.0.13"
-
Affected
Opensuse
Search vendor "Opensuse"
 Leap
Search vendor "Opensuse" for product "Leap"
 42.1
Search vendor "Opensuse" for product "Leap" and version "42.1"
-
Affected
Opensuse
Search vendor "Opensuse"
 Opensuse
Search vendor "Opensuse" for product "Opensuse"
 13.2
Search vendor "Opensuse" for product "Opensuse" and version "13.2"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 19
Search vendor "Fedoraproject" for product "Fedora" and version "19"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 20
Search vendor "Fedoraproject" for product "Fedora" and version "20"
-
Affected