cbcvebase.
CVE-2014-0195
published 2014-06-05

CVE-2014-0195: The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment…

PriorityP263medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
99.98%
100.0th percentile
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.

Affected

18 ranges
VendorProductVersion rangeFixed in
ciscoproducts
debianopenssl< openssl 1.0.1h-1 (bookworm)openssl 1.0.1h-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
mariadbmariadb>= 10.0.0 < 10.0.1310.0.13
opensslopenssl>= 0 < 1.0.1h-11.0.1h-1
opensslopenssl>= 0 < 1.0.1h-11.0.1h-1
opensslopenssl>= 0 < 1.0.1h-11.0.1h-1
opensslopenssl>= 0 < 1.0.1h-11.0.1h-1
opensslopenssl>= 0 < 1.0.1f-1ubuntu2.31.0.1f-1ubuntu2.3
opensslopenssl>= 0 < 1.0.1f-1ubuntu2.41.0.1f-1ubuntu2.4
opensslopenssl>= 0 < 1.0.1f-1ubuntu2.21.0.1f-1ubuntu2.2
opensslopenssl>= 0.9.8 < 0.9.8za0.9.8za
opensslopenssl>= 1.0.0 < 1.0.0m1.0.0m
opensslopenssl>= 1.0.1 < 1.0.1h1.0.1h
opensuseleap
opensuseopensuse
paloaltocortex_xdr

Detection & IOCsextracted from sources · hover to see the quote

pathd1_both.c
filenamedtls_fragment_overflow.rb
  • Detect DTLS ClientHello messages with multiple fragments where later fragment lengths are larger than the first fragment — this is the specific malformed condition triggering the buffer overflow.
  • Monitor for exploitation of dtls1_reassemble_fragment via long non-initial DTLS fragments — the vulnerable function is dtls1_reassemble_fragment in d1_both.c.
  • Focus detection on DTLS (UDP-based TLS) traffic; the vulnerability is specific to DTLS and does not affect standard TLS over TCP.
  • ·Red Hat Enterprise Linux 5 openssl, openssl097a, and several JBoss/EAP/EWS packages are NOT affected — avoid false-positive alerting on these platforms.
  • ·Red Hat Enterprise Linux 6 openssl098e and guest-images are NOT affected.
  • ·On Ubuntu, the vulnerability only affects 12.04 LTS, 13.10, and 14.04 LTS — scope detection accordingly.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_cisco10.0CRITICAL
vendor_debian6.8MEDIUM
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.