virus logo FortiClient Vulnerability

OpenSSL CVE-2014-3567 Input Validation Bypass Vulnerability

description-logoDescription

Severity: MediumWhen an OpenSSL SSL/TLS/DTLS server receives a session ticket theintegrity of that ticket is first verified. In the event of a sessionticket integrity check failing, OpenSSL will fail to free memorycausing a memory leak. By sending a large number of invalid sessiontickets an attacker could exploit this issue in a Denial Of Serviceattack.OpenSSL 1.0.1 users should upgrade to 1.0.1j.OpenSSL 1.0.0 users should upgrade to 1.0.0o.OpenSSL 0.9.8 users should upgrade to 0.9.8zc. This issue was reported to OpenSSL on 8th October 2014.The fix was developed by Stephen Henson of the OpenSSL core team.SSL 3.0 Fallback protectionSeverity: MediumOpenSSL has added support for TLS_FALLBACK_SCSV to allow applicationsto block the ability for a MITM attacker to force a protocoldowngrade.Some client applications (such as browsers) will reconnect using adowngraded protocol to work around interoperability bugs in olderservers. This could be exploited by an active man-in-the-middle todowngrade connections to SSL 3.0 even if both sides of the connectionsupport higher protocols. SSL 3.0 contains a number of weaknesses

affected-products-logoAffected Applications

OpenSSL

CVE References

CVE-2014-3567

Other References

https://www.openssl.org/news/vulnerabilities.html
ID 54491
Created Jan 17, 2020
Description
Updated		 Dec 19, 2023
Risk black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon
Coverage FortiClient
OS Linux
Vendor OpenSSL
Patch manual
Application OpenSSL