CVE-2013-6450
published 2014-01-01CVE-2013-6450: The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and…
PriorityP430medium5.8CVSS 2.0
AVNACMAuNCNIPAP
EPSS
14.54%
96.2th percentile
The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssl | < openssl 1.0.1e-5 (bookworm) | openssl 1.0.1e-5 (bookworm) |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | >= 0 < 1.0.1e-5 | 1.0.1e-5 |
| openssl | openssl | >= 0 < 1.0.1e-5 | 1.0.1e-5 |
| openssl | openssl | >= 0 < 1.0.1e-5 | 1.0.1e-5 |
| openssl | openssl | >= 0 < 1.0.1e-5 | 1.0.1e-5 |
CVSS provenance
nvdv2.05.8MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:P
osv5.8MEDIUM
vendor_debian5.8LOW
vendor_redhat5.8MEDIUM
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-14:03.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2014-01-14·CVSS 4.3
CVE-2013-4353 [MEDIUM] FreeBSD-SA-14:03.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-14:03.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2014-01-14
Affects: FreeBSD 10.0 prior to 10.0-RC5
Corrected: 2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1)
2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1)
CVE Name: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD includes software from the OpenSSL
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2014-01-09·CVSS 4.3
CVE-2013-4353 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
Anton Johansson discovered that OpenSSL incorrectly handled certain invalid
TLS handshakes. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2013-4353)
Ron Barber discovered that OpenSSL used an incorrect data structure to
obtain a version number. A remote attacker could use this issue to cause
OpenSSL to crash, resulting in a denial of service. (CVE-2013-6449)
Dmitry Sobinov discovered that OpenSSL incorrectly handled certain DTLS
retransmissions. A remote attacker could use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2013-6450)
This update also disables the default use of the RdRand feature of certain
Intel CP
Red Hat
openssl: crash in DTLS renegotiation after packet loss
vendor_redhat·2013-12-19·CVSS 5.8
CVE-2013-6450 [MEDIUM] openssl: crash in DTLS renegotiation after packet loss
openssl: crash in DTLS renegotiation after packet loss
The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 5 and earlier.
Package: openssl (Red Hat Enterprise Linux 4) - Not affected
Package: openssl (Red Hat Enterprise Linux 5) - Not affected
Package: openssl097a (Red Hat Enterprise Linux 5) - Not affected
Package: openssl098e (Red Hat Enterprise Lin
Debian
CVE-2013-6450: openssl - The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 ...
vendor_debian·2013·CVSS 5.8
CVE-2013-6450 [MEDIUM] CVE-2013-6450: openssl - The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 ...
The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Scope: local
bookworm: resolved (fixed in 1.0.1e-5)
bullseye: resolved (fixed in 1.0.1e-5)
forky: resolved (fixed in 1.0.1e-5)
sid: resolved (fixed in 1.0.1e-5)
trixie: resolved (fixed in 1.0.1e-5)
GHSA
GHSA-3qp2-qh33-29hx: The DTLS retransmission implementation in OpenSSL 1
ghsa_unreviewed·2022-05-14
CVE-2013-6450 [MEDIUM] GHSA-3qp2-qh33-29hx: The DTLS retransmission implementation in OpenSSL 1
The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
OSV
CVE-2013-6450: The DTLS retransmission implementation in OpenSSL 1
osv·2014-01-01·CVSS 5.8
CVE-2013-6450 [MEDIUM] CVE-2013-6450: The DTLS retransmission implementation in OpenSSL 1
The DTLS retransmission implementation in OpenSSL 1.0.0 before 1.0.0l and 1.0.1 before 1.0.1f does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context and cause a denial of service (application crash) by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2013-6450 mingw32-openssl: openssl: MiTM due to improper implementation of DTLS retransmission [epel-5]
bugzilla·2014-01-02·CVSS 5.8
CVE-2013-6450 [MEDIUM] CVE-2013-6450 mingw32-openssl: openssl: MiTM due to improper implementation of DTLS retransmission [epel-5]
CVE-2013-6450 mingw32-openssl: openssl: MiTM due to improper implementation of DTLS retransmission [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when avai
Bugzilla
CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss
bugzilla·2014-01-02·CVSS 5.8
CVE-2013-6450 [MEDIUM] CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss
CVE-2013-6450 openssl: crash in DTLS renegotiation after packet loss
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-6450 to the following vulnerability:
The DTLS retransmission implementation in OpenSSL through 0.9.8y and 1.x through 1.0.1e does not properly maintain data structures for digest and encryption contexts, which might allow man-in-the-middle attackers to trigger the use of a different context by interfering with packet delivery, related to ssl/d1_both.c and ssl/t1_enc.c.
Upstream commit:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3462896
Discussion:
Created mingw32-openssl tracking bugs for this issue:
Affects: epel-5 [bug 1047845]
---
Created openssl tracking bugs for this issue:
Affects: fedora-all [bug 1047843]
---
Created mi
Bugzilla
CVE-2013-6450 mingw-openssl: openssl: MiTM due to improper implementation of DTLS retransmission [fedora-all]
bugzilla·2014-01-02·CVSS 5.8
CVE-2013-6450 [MEDIUM] CVE-2013-6450 mingw-openssl: openssl: MiTM due to improper implementation of DTLS retransmission [fedora-all]
CVE-2013-6450 mingw-openssl: openssl: MiTM due to improper implementation of DTLS retransmission [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when availab
Bugzilla
CVE-2013-6450 openssl: MiTM due to improper implementation of DTLS retransmission [fedora-all]
bugzilla·2014-01-02·CVSS 5.8
CVE-2013-6450 [MEDIUM] CVE-2013-6450 openssl: MiTM due to improper implementation of DTLS retransmission [fedora-all]
CVE-2013-6450 openssl: MiTM due to improper implementation of DTLS retransmission [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please not
http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=34628967f1e65dc8f34e000f0f5518e21afbfc7bhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00031.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00032.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0015.htmlhttp://seclists.org/fulldisclosure/2014/Dec/23http://security.gentoo.org/glsa/glsa-201412-39.xmlhttp://www-01.ibm.com/support/docview.wss?uid=isg400001841http://www-01.ibm.com/support/docview.wss?uid=isg400001843http://www.debian.org/security/2014/dsa-2833http://www.openssl.org/news/vulnerabilities.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/64618http://www.securitytracker.com/id/1029549http://www.securitytracker.com/id/1031594http://www.ubuntu.com/usn/USN-2079-1http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttps://puppet.com/security/cve/cve-2013-6450https://security-tracker.debian.org/tracker/CVE-2013-6450http://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=34628967f1e65dc8f34e000f0f5518e21afbfc7bhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136470.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2014-August/136473.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00031.htmlhttp://lists.opensuse.org/opensuse-updates/2014-01/msg00032.htmlhttp://rhn.redhat.com/errata/RHSA-2014-0015.htmlhttp://seclists.org/fulldisclosure/2014/Dec/23http://security.gentoo.org/glsa/glsa-201412-39.xmlhttp://www-01.ibm.com/support/docview.wss?uid=isg400001841http://www-01.ibm.com/support/docview.wss?uid=isg400001843http://www.debian.org/security/2014/dsa-2833http://www.openssl.org/news/vulnerabilities.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.htmlhttp://www.securityfocus.com/archive/1/534161/100/0/threadedhttp://www.securityfocus.com/bid/64618http://www.securitytracker.com/id/1029549http://www.securitytracker.com/id/1031594http://www.ubuntu.com/usn/USN-2079-1http://www.vmware.com/security/advisories/VMSA-2014-0012.htmlhttps://puppet.com/security/cve/cve-2013-6450https://security-tracker.debian.org/tracker/CVE-2013-6450
2014-01-01
Published