CVE-2016-6308 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Openssl

CWE-399 CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-310 CWE-635 CWE-400 — Uncontrolled Resource Consumption10 documents9 sources

Severity

5.9MEDIUMNVD

EPSS

19.4%

top 4.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedSep 26

Latest updateDec 19

Description

statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a allocates memory before checking for an excessive length, which might allow remote attackers to cause a denial of service (memory consumption) via crafted DTLS messages.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶debiandebian/openssl

▶NVDopenssl/openssl1.1.0

🔴Vulnerability Details

GHSA

GHSA-25v5-24mh-gcpq: statem/statem_dtls↗2022-05-14

▶

📋Vendor Advisories

CISA ICS

Siemens SCALANCE X-200RNA Switch Devices↗2022-12-19

▶

Cisco

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016↗2016-09-27

▶

Red Hat

openssl: excessive allocation of memory in dtls1_preprocess_fragment()↗2016-09-21

▶

Debian

CVE-2016-6308: openssl - statem/statem_dtls.c in the DTLS implementation in OpenSSL 1.1.0 before 1.1.0a a...↗2016

▶

Cisco

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: September 2016↗

▶

🕵️Threat Intelligence

Tenable

[R7] Nessus 6.9 Fixes Multiple Vulnerabilities↗2016-10-25

▶

💬Community

HackerOne

Excessive allocation of memory in dtls1_preprocess_fragment() (CVE-2016-6308)↗2017-05-25

▶

Bugzilla

CVE-2016-6308 openssl: excessive allocation of memory in dtls1_preprocess_fragment()↗2016-09-21

▶