CVE-2010-4180 — Openssl vulnerability

10 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

3.8%

top 11.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl F5 Nginx Canonical Ubuntu Linux +6 more

Timeline

PublishedDec 6

Latest updateMay 17

Description

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages6 packages

▶NVDopenssl/openssl1.0.0 — 1.0.0c+1

▶Debianopenssl/openssl< 0.9.8o-4+3

▶NVDf5/nginx< 0.9.2

▶NVDopensuse/opensuse4 versions+3

▶NVDsuse/linux_enterprise_server10, 9+1

Also affects: Debian Linux 5.0, Fedora 13, 14, Linux Enterprise 11.0, Ubuntu Linux 10.04, 10.10, 6.06, 8.04, 9.04

Patches

Patch: cvs.openssl.org ↗Patch: openssl.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-hvp6-pw37-63wh: OpenSSL before 0↗2022-05-17

▶

OSV

CVE-2010-4180: OpenSSL before 0↗2010-12-06

▶

CVEList

CVE-2010-4180: OpenSSL before 0↗2010-12-06

▶

📋Vendor Advisories

Ubuntu

OpenSSL vulnerabilities↗2010-12-08

▶

Red Hat

openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack↗2010-12-02

▶

Red Hat

openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack↗2010-12-02

▶

Debian

CVE-2010-4180: openssl - OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHE...↗2010

▶

💬Community

Bugzilla

CVE-2008-7270 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG downgrade-to-disabled ciphersuite attack↗2010-12-07

▶

Bugzilla

CVE-2010-4180 openssl: NETSCAPE_REUSE_CIPHER_CHANGE_BUG ciphersuite downgrade attack↗2010-12-02

▶