CVE-2008-1672 — NULL Pointer Dereference in Openssl

CWE-476 — NULL Pointer Dereference8 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

19.0%

top 4.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl Canonical Ubuntu Linux

Timeline

PublishedMay 29

Latest updateFeb 29

Description

OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (crash) via a TLS handshake that omits the Server Key Exchange message and uses "particular cipher suites," which triggers a NULL pointer dereference.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/openssl< openssl 0.9.8g-10.1 (bookworm)

▶Debianopenssl/openssl< 0.9.8g-10.1+3

▶NVDopenssl/openssl0.9.8f, 0.9.8g+1

Also affects: Ubuntu Linux 8.04

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

GHSA-322g-pxmj-97cc: OpenSSL 0↗2022-05-01

▶

OSV

CVE-2008-1672: OpenSSL 0↗2008-05-29

▶

📋Vendor Advisories

Ubuntu

OpenSSL vulnerabilities↗2008-06-26

▶

Red Hat

openssl: Omit Server Key Exchange message crash↗2008-05-28

▶

Debian

CVE-2008-1672: openssl - OpenSSL 0.9.8f and 0.9.8g allows remote attackers to cause a denial of service (...↗2008

▶

📄Research Papers

arXiv

CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection↗2024-02-29

▶

💬Community

Bugzilla

CVE-2008-1672 openssl: Omit Server Key Exchange message crash↗2008-05-27

▶