cbcvebase.
CVE-2007-5135
published 2007-09-27

CVE-2007-5135: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute…

PriorityP339medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
16.06%
96.5th percentile
Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.

Affected

25 ranges
VendorProductVersion rangeFixed in
debianopenssl< openssl 0.9.8e-9 (bookworm)openssl 0.9.8e-9 (bookworm)
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl
opensslopenssl>= 0 < 0.9.8e-90.9.8e-9
opensslopenssl>= 0 < 0.9.8e-90.9.8e-9
opensslopenssl>= 0 < 0.9.8e-90.9.8e-9
opensslopenssl>= 0 < 0.9.8e-90.9.8e-9

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability is triggered via a crafted packet sent to applications using the SSL_get_shared_ciphers() function, causing a one-byte buffer underflow (NULL byte written past end of cipher list buffer). Detection should focus on anomalous TLS/SSL handshake packets with malformed or oversized cipher suite lists targeting this function.
  • Only applications that call SSL_get_shared_ciphers() are affected. Audit and monitor processes invoking this OpenSSL function for unexpected crashes or code execution.
  • The vulnerable code path resides in ssl/ssl_lib.c within the OpenSSL source tree. Patch verification or file integrity monitoring should target this file.
  • ·Affected OpenSSL versions are 0.9.7 through 0.9.7l and 0.9.8 through 0.9.8f. The vulnerability was introduced as a result of an incorrect fix for CVE-2006-3738, so systems patched for CVE-2006-3738 but not CVE-2007-5135 remain vulnerable.
  • ·As of the advisory date, whether reliable code execution is achievable was unconfirmed; impact may be limited to denial of service (crash) in practice.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
vendor_ubuntu1.2LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.