CVE-2014-5139

FreeBSD Security Advisory - OpenSSL Vulnerabilities

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The ssl_set_client_disabled function in t1_lib.c in OpenSSL 1.0.1 before 1.0.1i allows remote SSL servers to cause a denial of service (NULL pointer dereference and client application crash) via a ServerHello message that includes an SRP ciphersuite without the required negotiation of that ciphersuite with the client.

La función ssl_set_client_disabled en t1_lib.c en OpenSSL 1.0.1 anterior a 1.0.1i permite a servidores SSL remotos causar una denegación de servicio (referencia a puntero nulo y caída de la aplicación del cliente) a través de un mensaje ServerHello que incluye un suite de cifrado SRP sin la negociación necesaria de este suite de cifrada con el cliente.

Potential security vulnerabilities have been identified with HP System Management Homepage (SMH), HP Smart Update Manager (SUM), and HP Version Control Agent (VCA) which are components of HP Insight Control server deployment. These vulnerabilities are related to the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy Encryption" or "POODLE". The components of HP Insight Control server deployment could be exploited remotely to allow disclosure of information. HP Insight Control server deployment includes HP System Management Homepage (SMH), HP Version Control Agent (VCA), and HP Smart Update Manager (SUM) and deploys them through the following jobs. This bulletin provides the information needed to update the vulnerable components in HP Insight Control server deployment. Install HP Management Agents for Windows x86/x64 Install HP Management Agents for RHEL 5 x64 Install HP Management Agents for RHEL 6 x64 Install HP Management Agents for SLES 10 x64 Install HP Management Agents for SLES 11 x64 Upgrade Proliant Firmware. Revision 1 of this advisory.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-07-30 CVE Reserved
2014-08-06 CVE Published
2023-11-09 First Exploit
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CAPEC

References (48)

URL	Tag	Source
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory10.asc	X_refsource_confirm
http://secunia.com/advisories/59700	Third Party Advisory
http://secunia.com/advisories/59710	Third Party Advisory
http://secunia.com/advisories/59756	Third Party Advisory
http://secunia.com/advisories/60022	Third Party Advisory
http://secunia.com/advisories/60221	Third Party Advisory
http://secunia.com/advisories/60493	Third Party Advisory
http://secunia.com/advisories/60803	Third Party Advisory
http://secunia.com/advisories/60810	Third Party Advisory
http://secunia.com/advisories/60917	Third Party Advisory
http://secunia.com/advisories/60921	Third Party Advisory
http://secunia.com/advisories/61017	Third Party Advisory
http://secunia.com/advisories/61100	Third Party Advisory
http://secunia.com/advisories/61171	Third Party Advisory
http://secunia.com/advisories/61184	Third Party Advisory
http://secunia.com/advisories/61392	Third Party Advisory
http://secunia.com/advisories/61775	Third Party Advisory
http://secunia.com/advisories/61959	Third Party Advisory
http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15567.html	X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=nas8N1020240	X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21682293	X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21683389	X_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg21686997	X_refsource_confirm
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-372998.htm	X_refsource_confirm
http://www.securityfocus.com/bid/69077	Vdb Entry
http://www.securitytracker.com/id/1030693	Vdb Entry
http://www.tenable.com/security/tns-2014-06	X_refsource_confirm
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=80bd7b41b30af6ee96f519e629463583318de3b0	X_refsource_confirm
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=83764a989dcc87fbea337da5f8f86806fe767b7e	X_refsource_confirm
https://lists.balabit.hu/pipermail/syslog-ng-announce/2014-September/000196.html	Mailing List

URL	Date	SRC
https://github.com/uthrasri/CVE-2014-5139	2023-11-09

URL	Date	SRC

URL	Date	SRC
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-008.txt.asc	2023-11-07
http://lists.opensuse.org/opensuse-updates/2014-08/msg00036.html	2023-11-07
http://marc.info/?l=bugtraq&m=142350350616251&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142495837901899&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142624590206005&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142624619906067	2023-11-07
http://marc.info/?l=bugtraq&m=142624619906067&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142624679706236&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142624719706349&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142660345230545&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=142791032306609&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=143290437727362&w=2	2023-11-07
http://marc.info/?l=bugtraq&m=143290522027658&w=2	2023-11-07
http://security.gentoo.org/glsa/glsa-201412-39.xml	2023-11-07
http://www.debian.org/security/2014/dsa-2998	2023-11-07
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:18.openssl.asc	2023-11-07
https://www.openssl.org/news/secadv_20140806.txt	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1 Search vendor "Openssl" for product "Openssl" and version "1.0.1"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1 Search vendor "Openssl" for product "Openssl" and version "1.0.1"		beta1		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1 Search vendor "Openssl" for product "Openssl" and version "1.0.1"		beta2		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1 Search vendor "Openssl" for product "Openssl" and version "1.0.1"		beta3		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1a Search vendor "Openssl" for product "Openssl" and version "1.0.1a"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1b Search vendor "Openssl" for product "Openssl" and version "1.0.1b"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1c Search vendor "Openssl" for product "Openssl" and version "1.0.1c"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1d Search vendor "Openssl" for product "Openssl" and version "1.0.1d"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1e Search vendor "Openssl" for product "Openssl" and version "1.0.1e"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1f Search vendor "Openssl" for product "Openssl" and version "1.0.1f"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1g Search vendor "Openssl" for product "Openssl" and version "1.0.1g"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.1h Search vendor "Openssl" for product "Openssl" and version "1.0.1h"		-		Affected