CVE-2013-4353 — Improper Input Validation in Openssl

CWE-20 — Improper Input Validation CWE-476 — NULL Pointer Dereference11 documents9 sources

Severity

4.3MEDIUMNVD

EPSS

22.5%

top 4.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedJan 9

Latest updateFeb 29

Description

The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/openssl< openssl 1.0.1f-1 (bookworm)

▶Debianopenssl/openssl< 1.0.1f-1+3

▶NVDopenssl/openssl6 versions+5

🔴Vulnerability Details

GHSA

GHSA-3r93-c4x2-hj85: The ssl3_take_mac function in ssl/s3_both↗2022-05-17

▶

OSV

CVE-2013-4353: The ssl3_take_mac function in ssl/s3_both↗2014-01-09

▶

📋Vendor Advisories

BSD

FreeBSD-SA-14:03.openssl: OpenSSL multiple vulnerabilities↗2014-01-14

▶

Ubuntu

OpenSSL vulnerabilities↗2014-01-09

▶

Red Hat

openssl: client NULL dereference crash on malformed handshake packets↗2014-01-06

▶

Debian

CVE-2013-4353: openssl - The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allow...↗2013

▶

📄Research Papers

arXiv

CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection↗2024-02-29

▶

💬Community

Bugzilla

CVE-2013-4353 openssl: client NULL dereference crash on malformed handshake packets↗2014-01-06

▶

Bugzilla

CVE-2013-4353 mingw-openssl: openssl: TLS record tampering issue can lead to OpenSSL crash [fedora-all]↗2014-01-06

▶

Bugzilla

CVE-2013-4353 openssl: TLS record tampering issue can lead to OpenSSL crash [fedora-all]↗2014-01-06

▶