CVE-2014-3511 — Detection of Error Condition Without Action in Openssl

CWE-390 — Detection of Error Condition Without Action14 documents10 sources

Severity

4.3MEDIUMNVD

OSV5.0

EPSS

5.4%

top 9.84%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedAug 13

Latest updateMay 17

Description

The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i allows man-in-the-middle attackers to force the use of TLS 1.0 by triggering ClientHello message fragmentation in communication between a client and server that both support later TLS versions, related to a "protocol downgrade" issue.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages4 packages

▶debiandebian/openssl< openssl 1.0.1i-1 (bookworm)

▶Debianopenssl/openssl< 1.0.1i-1+3

▶Ubuntuopenssl/openssl< 1.0.1f-1ubuntu2.5

▶NVDopenssl/openssl23 versions+22

🔴Vulnerability Details

GHSA

GHSA-xfjr-6mmm-7hc7: The ssl23_get_client_hello function in s23_srvr↗2022-05-17

▶

OSV

CVE-2014-3511: The ssl23_get_client_hello function in s23_srvr↗2014-08-13

▶

OSV

openssl vulnerabilities↗2014-08-07

▶

💥Exploits & PoCs

Exploit-DB

Baidu Spark Browser 26.5.9999.3511 - Remote Stack Overflow (Denial of Service)↗2014-07-02

▶

📋Vendor Advisories

BSD

FreeBSD-SA-14:18.openssl: OpenSSL multiple vulnerabilities↗2014-09-09

▶

Ubuntu

OpenSSL vulnerabilities↗2014-08-07

▶

Red Hat

openssl: TLS protocol downgrade attack↗2014-08-06

▶

Debian

CVE-2014-3511: openssl - The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1 before 1.0.1i...↗2014

▶

🕵️Threat Intelligence

Tenable

[R4] Tenable Products Affected by OpenSSL Protocol Downgrade Vulnerability↗2014-08-21

▶

💬Community

Bugzilla

CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3511 CVE-2014-3510 CVE-2014-3508 mingw-openssl: various flaws [epel-7]↗2014-08-07

▶

Bugzilla

CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3511 CVE-2014-3510 CVE-2014-3508 CVE-2014-3509 mingw-openssl: various flaws [fedora-all]↗2014-08-07

▶

Bugzilla

CVE-2014-3511 openssl: TLS protocol downgrade attack↗2014-08-07

▶

Bugzilla

CVE-2014-3505 CVE-2014-3506 CVE-2014-3507 CVE-2014-3511 CVE-2014-3510 CVE-2014-3508 CVE-2014-3509 openssl: various flaws [fedora-all]↗2014-08-07

▶