CVE-2013-4353
published 2014-01-09CVE-2013-4353: The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
11.85%
95.6th percentile
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssl | < openssl 1.0.1f-1 (bookworm) | openssl 1.0.1f-1 (bookworm) |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | >= 0 < 1.0.1f-1 | 1.0.1f-1 |
| openssl | openssl | >= 0 < 1.0.1f-1 | 1.0.1f-1 |
| openssl | openssl | >= 0 < 1.0.1f-1 | 1.0.1f-1 |
| openssl | openssl | >= 0 < 1.0.1f-1 | 1.0.1f-1 |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-14:03.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2014-01-14·CVSS 4.3
CVE-2013-4353 [MEDIUM] FreeBSD-SA-14:03.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-14:03.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2014-01-14
Affects: FreeBSD 10.0 prior to 10.0-RC5
Corrected: 2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1)
CVE Name: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD includes software from the OpenSSL
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2014-01-09·CVSS 4.3
CVE-2013-4353 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
Anton Johansson discovered that OpenSSL incorrectly handled certain invalid
TLS handshakes. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2013-4353)
Ron Barber discovered that OpenSSL used an incorrect data structure to
obtain a version number. A remote attacker could use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2013-6449)
Dmitry Sobinov discovered that OpenSSL incorrectly handled certain DTLS
retransmissions. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2013-6450)
This update also disables the default use of the RdRand feature of certain
Intel CP
Red Hat
openssl: client NULL dereference crash on malformed handshake packets
vendor_redhat·2014-01-06·CVSS 4.3
CVE-2013-4353 [MEDIUM] CWE-476 openssl: client NULL dereference crash on malformed handshake packets
openssl: client NULL dereference crash on malformed handshake packets
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.
Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and earlier.
Package: openssl (Red Hat Enterprise Linux 5) - Not affected
Package: openssl097a (Red Hat Enterprise Linux 5) - Not affected
Package: openssl098e (Red Hat Enterprise Linux 6) - Not affected
Package: openssl (Red Hat Enterprise Linux 7) - Not affected
Package: openssl098e (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2013-4353: openssl - The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allow...
vendor_debian·2013·CVSS 4.3
CVE-2013-4353 [MEDIUM] CVE-2013-4353: openssl - The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allow...
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.
Scope: local
bookworm: resolved (fixed in 1.0.1f-1)
bullseye: resolved (fixed in 1.0.1f-1)
forky: resolved (fixed in 1.0.1f-1)
sid: resolved (fixed in 1.0.1f-1)
trixie: resolved (fixed in 1.0.1f-1)
GHSA
GHSA-3r93-c4x2-hj85: The ssl3_take_mac function in ssl/s3_both
ghsa_unreviewed·2022-05-17
CVE-2013-4353 [MEDIUM] CWE-20 GHSA-3r93-c4x2-hj85: The ssl3_take_mac function in ssl/s3_both
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.
OSV
CVE-2013-4353: The ssl3_take_mac function in ssl/s3_both
osv·2014-01-09·CVSS 4.3
CVE-2013-4353 [MEDIUM] CVE-2013-4353: The ssl3_take_mac function in ssl/s3_both
The ssl3_take_mac function in ssl/s3_both.c in OpenSSL 1.0.1 before 1.0.1f allows remote TLS servers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Next Protocol Negotiation record in a TLS handshake.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-4353 openssl: client NULL dereference crash on malformed handshake packets
bugzilla·2014-01-06·CVSS 4.3
CVE-2013-4353 [MEDIUM] CVE-2013-4353 openssl: client NULL dereference crash on malformed handshake packets
CVE-2013-4353 openssl: client NULL dereference crash on malformed handshake packets
A flaw was found in the way OpenSSL handled TLS handshakes. A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception.
This flaw only affects OpenSSL versions 1.0.1 through 1.0.1e; earlier versions are not affected and this is corrected in upstream version 1.0.1f [1],[2].
[1] http://www.openssl.org/news/vulnerabilities.html#2013-4353
[2] http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=197e0ea817ad64820789d86711d55ff50d71f631
Discussion:
Created openssl tracking bugs for this issue:
Affects: fedora-all [bug 1049061]
---
Created mingw-openssl tracking bugs for this issue:
Affects: fedora-all [bug 1049062]
---
This is a client side issue - an application
Bugzilla
CVE-2013-4353 mingw-openssl: openssl: TLS record tampering issue can lead to OpenSSL crash [fedora-all]
bugzilla·2014-01-06·CVSS 4.3
CVE-2013-4353 [MEDIUM] CVE-2013-4353 mingw-openssl: openssl: TLS record tampering issue can lead to OpenSSL crash [fedora-all]
CVE-2013-4353 mingw-openssl: openssl: TLS record tampering issue can lead to OpenSSL crash [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
P
Bugzilla
CVE-2013-4353 openssl: TLS record tampering issue can lead to OpenSSL crash [fedora-all]
bugzilla·2014-01-06·CVSS 4.3
CVE-2013-4353 [MEDIUM] CVE-2013-4353 openssl: TLS record tampering issue can lead to OpenSSL crash [fedora-all]
CVE-2013-4353 openssl: TLS record tampering issue can lead to OpenSSL crash [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: thi
arXiv
CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection
arxiv_fulltext·2024-02-29
CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection
: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection
Hao Wang^1, Zeyu Gao^1, Chao Zhang^1, Mingyang Sun^2, Yuchen Zhou^3, Han Qiu^1, Xi Xiao^4
Hao Wang, Zeyu Gao, Chao Zhang, Mingyang Sun, Yuchen Zhou, Han Qiu, Xi Xiao
^1Tsinghua University, Beijing, China
^2University of Electronic Science and Technology of China, Chengdu, China
^3Beijing University of Technology, Beijing, China
^4Tsinghua University, Shenzhen, China
hao-wang20,[email protected],chaoz,[email protected]
[email protected],[email protected],[email protected]
Wang, et al.
## Abstract
Binary code similarity detection (BCSD) is a fundamental technique for various application.
Many BCSD solutions have been proposed recently, which mostly are embed
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=blob_plain%3Bf=CHANGES%3Bhb=refs/heads/OpenSSL_1_0_1-stablehttp://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=197e0ea817ad64820789d86711d55ff50d71f631http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00065.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00067.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00070.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0015.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0041.htmlhttp://www-01.ibm.com/support/docview.wss?uid=isg400001841http://www-01.ibm.com/support/docview.wss?uid=isg400001843http://www.debian.org/security/2014/dsa-2837http://www.openssl.org/news/vulnerabilities.htmlhttp://www.splunk.com/view/SP-CAAAMB3http://www.ubuntu.com/usn/USN-2079-1https://bugzilla.redhat.com/show_bug.cgi?id=1049058http://git.openssl.org/gitweb/?p=openssl.git%3Ba=blob_plain%3Bf=CHANGES%3Bhb=refs/heads/OpenSSL_1_0_1-stablehttp://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=197e0ea817ad64820789d86711d55ff50d71f631http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00065.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00067.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00070.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0015.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0041.htmlhttp://www-01.ibm.com/support/docview.wss?uid=isg400001841http://www-01.ibm.com/support/docview.wss?uid=isg400001843http://www.debian.org/security/2014/dsa-2837http://www.openssl.org/news/vulnerabilities.htmlhttp://www.splunk.com/view/SP-CAAAMB3http://www.ubuntu.com/usn/USN-2079-1https://bugzilla.redhat.com/show_bug.cgi?id=1049058
2014-01-09
Published