CVE-2014-3567

openssl: Invalid TLS/SSL session tickets could cause memory leak leading to server crash

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.

Fuga de memoria en la función tls_decrypt_ticket en t1_lib.c en OpenSSL anterior a 0.9.8zc, 1.0.0 anterior a 1.0.0o, y 1.0.1 anterior a 1.0.1j permite a atacantes remotos causar una denegación de servicio (consumo de memoria) a través de un ticket de sesión manipulado que provoca un fallo en la comprobación de integridad.

A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server.

A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. The SSL protocol 3.0, as supported in OpenSSL and other products, supports CBC mode encryption where it could not adequately check the integrity of padding, because of the use of non-deterministic CBC padding. This protocol weakness makes it possible for an attacker to obtain clear text data through a padding-oracle attack. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-05-14 CVE Reserved
2014-10-15 CVE Published
2024-08-06 CVE Updated
2025-03-31 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation
CWE-399: Resource Management Errors
CWE-401: Missing Release of Memory after Effective Lifetime

CAPEC

References (58)

URL	Tag	Source
http://advisories.mageia.org/MGASA-2014-0416.html	X_refsource_confirm
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory11.asc	X_refsource_confirm
http://secunia.com/advisories/59627	Third Party Advisory
http://secunia.com/advisories/61058	Third Party Advisory
http://secunia.com/advisories/61073	Third Party Advisory
http://secunia.com/advisories/61130	Third Party Advisory
http://secunia.com/advisories/61207	Third Party Advisory
http://secunia.com/advisories/61298	Third Party Advisory
http://secunia.com/advisories/61819	Third Party Advisory
http://secunia.com/advisories/61837	Third Party Advisory
http://secunia.com/advisories/61959	Third Party Advisory
http://secunia.com/advisories/61990	Third Party Advisory
http://secunia.com/advisories/62030	Third Party Advisory
http://secunia.com/advisories/62070	Third Party Advisory
http://secunia.com/advisories/62124	Third Party Advisory
http://support.apple.com/HT204244	X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21686997	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html	X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html	X_refsource_confirm
http://www.securityfocus.com/bid/70586	Vdb Entry
http://www.securitytracker.com/id/1031052	Vdb Entry
http://www.splunk.com/view/SP-CAAANST	X_refsource_confirm
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_openssl6	X_refsource_confirm
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=7fd4ce6a997be5f5c9e744ac527725c2850de203	X_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888	X_refsource_confirm
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380	X_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10091	X_refsource_confirm
https://support.apple.com/HT205217	X_refsource_confirm
https://support.citrix.com/article/CTX216642	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-015.txt.asc	2023-11-07
http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html	2023-11-07
http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2014-10/msg00008.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00001.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2014-11/msg00003.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html	2023-11-07
http://marc.info/?l=bugtraq&m=141477196830952&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142103967620673&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142118135300698&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142495837901899&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142624590206005&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142791032306609&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142804214608580&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142834685803386&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=143290437727362&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=143290522027658&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=143290583027876&w=2	2023-11-07
http://rhn.redhat.com/errata/RHSA-2014-1652.html	2023-11-07
http://rhn.redhat.com/errata/RHSA-2014-1692.html	2023-11-07
http://rhn.redhat.com/errata/RHSA-2015-0126.html	2023-11-07
http://security.gentoo.org/glsa/glsa-201412-39.xml	2023-11-07
http://www.debian.org/security/2014/dsa-3053	2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2014:203	2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062	2023-11-07
http://www.ubuntu.com/usn/USN-2385-1	2023-11-07
https://www.openssl.org/news/secadv_20141015.txt	2023-11-07
https://access.redhat.com/security/cve/CVE-2014-3567	2015-02-04
https://bugzilla.redhat.com/show_bug.cgi?id=1152961	2015-02-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				<= 0.9.8zb Search vendor "Openssl" for product "Openssl" and version " <= 0.9.8zb"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0 Search vendor "Openssl" for product "Openssl" and version "1.0.0"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0 Search vendor "Openssl" for product "Openssl" and version "1.0.0"		beta1		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0 Search vendor "Openssl" for product "Openssl" and version "1.0.0"		beta2		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0 Search vendor "Openssl" for product "Openssl" and version "1.0.0"		beta3		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0 Search vendor "Openssl" for product "Openssl" and version "1.0.0"		beta4		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0 Search vendor "Openssl" for product "Openssl" and version "1.0.0"		beta5		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0a Search vendor "Openssl" for product "Openssl" and version "1.0.0a"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0b Search vendor "Openssl" for product "Openssl" and version "1.0.0b"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0c Search vendor "Openssl" for product "Openssl" and version "1.0.0c"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0d Search vendor "Openssl" for product "Openssl" and version "1.0.0d"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0e Search vendor "Openssl" for product "Openssl" and version "1.0.0e"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0f Search vendor "Openssl" for product "Openssl" and version "1.0.0f"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0g Search vendor "Openssl" for product "Openssl" and version "1.0.0g"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0h Search vendor "Openssl" for product "Openssl" and version "1.0.0h"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0i Search vendor "Openssl" for product "Openssl" and version "1.0.0i"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0j Search vendor "Openssl" for product "Openssl" and version "1.0.0j"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0k Search vendor "Openssl" for product "Openssl" and version "1.0.0k"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0l Search vendor "Openssl" for product "Openssl" and version "1.0.0l"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0m Search vendor "Openssl" for product "Openssl" and version "1.0.0m"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.0n Search vendor "Openssl" for product "Openssl" and version "1.0.0n"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1 Search vendor "Openssl" for product "Openssl" and version "1.0.1"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1 Search vendor "Openssl" for product "Openssl" and version "1.0.1"		beta1		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1 Search vendor "Openssl" for product "Openssl" and version "1.0.1"		beta2		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1 Search vendor "Openssl" for product "Openssl" and version "1.0.1"		beta3		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1a Search vendor "Openssl" for product "Openssl" and version "1.0.1a"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1b Search vendor "Openssl" for product "Openssl" and version "1.0.1b"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1c Search vendor "Openssl" for product "Openssl" and version "1.0.1c"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1d Search vendor "Openssl" for product "Openssl" and version "1.0.1d"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1e Search vendor "Openssl" for product "Openssl" and version "1.0.1e"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1f Search vendor "Openssl" for product "Openssl" and version "1.0.1f"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1g Search vendor "Openssl" for product "Openssl" and version "1.0.1g"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1h Search vendor "Openssl" for product "Openssl" and version "1.0.1h"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1i Search vendor "Openssl" for product "Openssl" and version "1.0.1i"		-		Affected