CVE-2007-5135
published 2007-09-27CVE-2007-5135: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute…
PriorityP339medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EPSS
16.06%
96.5th percentile
Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssl | < openssl 0.9.8e-9 (bookworm) | openssl 0.9.8e-9 (bookworm) |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | >= 0 < 0.9.8e-9 | 0.9.8e-9 |
| openssl | openssl | >= 0 < 0.9.8e-9 | 0.9.8e-9 |
| openssl | openssl | >= 0 < 0.9.8e-9 | 0.9.8e-9 |
| openssl | openssl | >= 0 < 0.9.8e-9 | 0.9.8e-9 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via a crafted packet sent to applications using the SSL_get_shared_ciphers() function, causing a one-byte buffer underflow (NULL byte written past end of cipher list buffer). Detection should focus on anomalous TLS/SSL handshake packets with malformed or oversized cipher suite lists targeting this function. ↗
- →Only applications that call SSL_get_shared_ciphers() are affected. Audit and monitor processes invoking this OpenSSL function for unexpected crashes or code execution. ↗
- →The vulnerable code path resides in ssl/ssl_lib.c within the OpenSSL source tree. Patch verification or file integrity monitoring should target this file. ↗
- ·Affected OpenSSL versions are 0.9.7 through 0.9.7l and 0.9.8 through 0.9.8f. The vulnerability was introduced as a result of an incorrect fix for CVE-2006-3738, so systems patched for CVE-2006-3738 but not CVE-2007-5135 remain vulnerable. ↗
- ·As of the advisory date, whether reliable code execution is achievable was unconfirmed; impact may be limited to denial of service (crash) in practice. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_debian10.0LOW
vendor_redhat10.0CRITICAL
vendor_ubuntu1.2LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jvv3-c5fw-96v6: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0
ghsa_unreviewed·2022-05-03·CVSS 10.0
CVE-2007-5135 [CRITICAL] GHSA-jvv3-c5fw-96v6: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0
Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.
OSV
CVE-2007-5135: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0
osv·2007-09-27·CVSS 10.0
CVE-2007-5135 [CRITICAL] CVE-2007-5135: Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0
Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.
VMware
Updated service console patches.
vendor_vmware·2008-01-07·CVSS 1.2
CVE-2007-3108 [LOW] Updated service console patches.
VMSA-2008-0001: Updated service console patches.
Updated service console patches. VMware Security Advisory VMware Security Advisory Advisory ID: VMware Security Advisory Synopsis: Updated service console patches. VMware Security Advisory Issue date: VMware Security Advisory Updated on:
CVEs: CVE-2007-3108, CVE-2007-4572, CVE-2007-5116, CVE-2007-5135, CVE-2007-5191, CVE-2007-5360, CVE-2007-5398
BSD
FreeBSD-SA-07:08.openssl: Buffer overflow in OpenSSL SSL_get_shared_ciphers()
bsd_advisories·2007-10-03·CVSS 6.8
CVE-2006-3738 [MEDIUM] FreeBSD-SA-07:08.openssl: Buffer overflow in OpenSSL SSL_get_shared_ciphers()
FreeBSD-SA-07:08.openssl Security Advisory
The FreeBSD Project
Topic: Buffer overflow in OpenSSL SSL_get_shared_ciphers()
Category: contrib
Module: openssl
Announced: 2007-10-03
Credits: Moritz Jodeit
Affects: All FreeBSD releases.
Corrected: 2007-10-03 21:39:43 UTC (RELENG_6, 6.2-STABLE)
2007-10-03 21:40:35 UTC (RELENG_6_2, 6.2-RELEASE-p8)
2007-10-03 21:41:22 UTC (RELENG_6_1, 6.1-RELEASE-p20)
2007-10-03 21:42:00 UTC (RELENG_5, 5.5-STABLE)
2007-10-03 21:42:32 UTC (RELENG_5_5, 5.5-RELEASE-p16)
CVE Name: CVE-2007-5135
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative
Ubuntu
openssl vulnerabilities
vendor_ubuntu·2007-09-28·CVSS 1.2
CVE-2007-3108 [LOW] openssl vulnerabilities
Title: openssl vulnerabilities
Summary: openssl vulnerabilities
It was discovered that OpenSSL did not correctly perform Montgomery
multiplications. Local attackers might be able to reconstruct RSA
private keys by examining another user's OpenSSL processes. (CVE-2007-3108)
Moritz Jodeit discovered that OpenSSL's SSL_get_shared_ciphers function
did not correctly check the size of the buffer it was writing to.
A remote attacker could exploit this to write one NULL byte past the end of
an application's cipher list buffer, possibly leading to arbitrary code
execution or a denial of service. (CVE-2007-5135)
Instructions: After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Red Hat
openssl: SSL_get_shared_ciphers() off-by-one
vendor_redhat·2007-09-27·CVSS 10.0
CVE-2007-5135 [CRITICAL] CWE-193 openssl: SSL_get_shared_ciphers() off-by-one
openssl: SSL_get_shared_ciphers() off-by-one
Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.
Debian
CVE-2007-5135: openssl - Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0...
vendor_debian·2007·CVSS 10.0
CVE-2007-5135 [CRITICAL] CVE-2007-5135: openssl - Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0...
Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.
Scope: local
bookworm: resolved (fixed in 0.9.8e-9)
bullseye: resolved (fixed in 0.9.8e-9)
forky: resolved (fixed in 0.9.8e-9)
sid: resolved (fixed in 0.9.8e-9)
trixie: resolved (fixed in 0.9.8e-9)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.aschttp://lists.apple.com/archives/security-announce//2008/Jul/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://lists.vmware.com/pipermail/security-announce/2008/000002.htmlhttp://secunia.com/advisories/22130http://secunia.com/advisories/27012http://secunia.com/advisories/27021http://secunia.com/advisories/27031http://secunia.com/advisories/27051http://secunia.com/advisories/27078http://secunia.com/advisories/27097http://secunia.com/advisories/27186http://secunia.com/advisories/27205http://secunia.com/advisories/27217http://secunia.com/advisories/27229http://secunia.com/advisories/27330http://secunia.com/advisories/27394http://secunia.com/advisories/27851http://secunia.com/advisories/27870http://secunia.com/advisories/27961http://secunia.com/advisories/28368http://secunia.com/advisories/29242http://secunia.com/advisories/30124http://secunia.com/advisories/30161http://secunia.com/advisories/31308http://secunia.com/advisories/31326http://secunia.com/advisories/31467http://secunia.com/advisories/31489http://security.freebsd.org/advisories/FreeBSD-SA-07:08.openssl.aschttp://security.gentoo.org/glsa/glsa-200710-06.xmlhttp://securityreason.com/securityalert/3179http://sunsolve.sun.com/search/document.do?assetkey=1-26-103130-1http://sunsolve.sun.com/search/document.do?assetkey=1-66-200858-1http://support.avaya.com/elmodocs2/security/ASA-2007-485.htmhttp://wiki.rpath.com/wiki/Advisories:rPSA-2008-0241http://www.debian.org/security/2007/dsa-1379http://www.gentoo.org/security/en/glsa/glsa-200805-07.xmlhttp://www.mandriva.com/security/advisories?name=MDKSA-2007:193http://www.novell.com/linux/security/advisories/2007_20_sr.htmlhttp://www.openbsd.org/errata40.htmlhttp://www.openbsd.org/errata41.htmlhttp://www.openbsd.org/errata42.htmlhttp://www.openssl.org/news/secadv_20071012.txthttp://www.redhat.com/support/errata/RHSA-2007-0813.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0964.htmlhttp://www.redhat.com/support/errata/RHSA-2007-1003.htmlhttp://www.securityfocus.com/archive/1/480855/100/0/threadedhttp://www.securityfocus.com/archive/1/481217/100/0/threadedhttp://www.securityfocus.com/archive/1/481488/100/0/threadedhttp://www.securityfocus.com/archive/1/481506/100/0/threadedhttp://www.securityfocus.com/archive/1/484353/100/0/threadedhttp://www.securityfocus.com/archive/1/485936/100/0/threadedhttp://www.securityfocus.com/archive/1/486859/100/0/threadedhttp://www.securityfocus.com/bid/25831http://www.securitytracker.com/id?1018755http://www.vmware.com/security/advisories/VMSA-2008-0001.htmlhttp://www.vmware.com/security/advisories/VMSA-2008-0013.htmlhttp://www.vupen.com/english/advisories/2007/3325http://www.vupen.com/english/advisories/2007/3625http://www.vupen.com/english/advisories/2007/4042http://www.vupen.com/english/advisories/2007/4144http://www.vupen.com/english/advisories/2008/0064http://www.vupen.com/english/advisories/2008/2268http://www.vupen.com/english/advisories/2008/2361http://www.vupen.com/english/advisories/2008/2362http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4037http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4038https://bugs.gentoo.org/show_bug.cgi?id=194039https://exchange.xforce.ibmcloud.com/vulnerabilities/36837https://issues.rpath.com/browse/RPL-1769https://issues.rpath.com/browse/RPL-1770https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10904https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5337https://usn.ubuntu.com/522-1/https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00218.htmlftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2008-007.txt.aschttp://lists.apple.com/archives/security-announce//2008/Jul/msg00003.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://lists.vmware.com/pipermail/security-announce/2008/000002.htmlhttp://secunia.com/advisories/22130http://secunia.com/advisories/27012http://secunia.com/advisories/27021http://secunia.com/advisories/27031http://secunia.com/advisories/27051http://secunia.com/advisories/27078http://secunia.com/advisories/27097http://secunia.com/advisories/27186http://secunia.com/advisories/27205http://secunia.com/advisories/27217http://secunia.com/advisories/27229http://secunia.com/advisories/27330http://secunia.com/advisories/27394http://secunia.com/advisories/27851http://secunia.com/advisories/27870http://secunia.com/advisories/27961http://secunia.com/advisories/28368http://secunia.com/advisories/29242http://secunia.com/advisories/30124http://secunia.com/advisories/30161http://secunia.com/advisories/31308
+ 50 more references
2007-09-27
Published