Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » OpenSSL information disclosure weakness

OpenSSL information disclosure weakness

by Mario Miri on April 4th, 2003 Various OpenSSL implementations are prone to a information disclosure attack. Malicious attacker could obtain sensitive information by timing certain information, which eventually may lead to disclosure of plain text of transmitted data.


Vulnerable:
Apple MacOS X 10.2.4
FreeBSD 4.2
FreeBSD 4.3
FreeBSD 4.4
FreeBSD 4.5
FreeBSD 4.6
FreeBSD 4.6.2
FreeBSD 4.7 -STABLE
FreeBSD 4.7
FreeBSD 4.8 -PRERELEASE
FreeBSD 5.0
HP Apache-Based Web Server 1.3.27 .00
-HP HP-UX 11.0
-HP HP-UX 11.11
-HP HP-UX 11.20
-HP HP-UX 11.22
HP Apache-Based Web Server 2.0.43 .00
-HP HP-UX 11.0
-HP HP-UX 11.11
-HP HP-UX 11.20
-HP HP-UX 11.22
HP-UX Apache-Based Web Server 1.0.00.01
-HP HP-UX 11.0
-HP HP-UX 11.11
-HP HP-UX 11.20
-HP HP-UX 11.22
OpenBSD 3.1
OpenBSD 3.2
OpenSSL 0.9.1 c
OpenSSL 0.9.2 b
OpenSSL 0.9.3
OpenSSL 0.9.4
-Debian Linux 3.0
-OpenBSD 2.6
OpenSSL 0.9.5 a
-Debian Linux 3.0
-HP Secure OS software for Linux 1.0
-MandrakeSoft Corporate Server 1.0.1
-MandrakeSoft Linux Mandrake 7.1
-MandrakeSoft Linux Mandrake 7.2
-MandrakeSoft Single Network Firewall 7.2
-OpenBSD 2.7
-OpenBSD OpenBSD 2.8
-RedHat Linux 6.2
-RedHat Linux 6.2 alpha
-RedHat Linux 6.2 i386
-RedHat Linux 6.2 sparc
-RedHat Linux 7.0
-RedHat Linux 7.0 alpha
-RedHat Linux 7.0 i386
-RedHat Linux 7.1
-RedHat Linux 7.1 alpha
-RedHat Linux 7.1 i386
-RedHat Linux 7.1 ia64
-RedHat Linux 7.2
-RedHat Linux 7.2 alpha
-RedHat Linux 7.2 i386
-RedHat Linux 7.2 i686
-RedHat Linux 7.2 ia64
-RedHat Linux 7.3 i386
-S.u.S.E. Linux 7.0 alpha
-S.u.S.E. Linux 7.0 i386
-S.u.S.E. Linux 7.0 ppc
-S.u.S.E. Linux 7.0 sparc
OpenSSL 0.9.5
-RedHat Linux 6.2 alpha
-RedHat Linux 6.2 i386
-RedHat Linux 6.2 sparc
OpenSSL 0.9.6 h
OpenSSL 0.9.6 g
-FreeBSD FreeBSD 4.7
-FreeBSD FreeBSD 4.7 -RELEASE
-HP Apache-Based Web Server 1.3.27 .00
-HP Apache-Based Web Server 2.0.43 .00
-HP Webmin-Based Admin 1.0.00.01
-NetBSD 1.6
-OpenPKG 1.1
OpenSSL 0.9.6 e
-FreeBSD FreeBSD 4.6
-FreeBSD FreeBSD 4.6 -RELEASE
OpenSSL Project OpenSSL 0.9.6 d
-Slackware Linux 8.1
OpenSSL 0.9.6 c
-Conectiva Linux 8.0
-Debian Linux 3.0
-MandrakeSoft Linux Mandrake 8.2
-S.u.S.E. Linux 8.0
-S.u.S.E. Linux 8.0 i386
OpenSSL 0.9.6 b
-MandrakeSoft Linux Mandrake 8.1
-MandrakeSoft Linux Mandrake 8.1 ia64
-OpenBSD 3.0
-OpenBSD 3.1
-RedHat Linux 7.2
-RedHat Linux 7.2 i386
-RedHat Linux 7.2 i686
-RedHat Linux 7.2 ia64
-RedHat Linux 7.3
-RedHat Linux 7.3 i386
-S.u.S.E. Linux 7.3 i386
-S.u.S.E. Linux 7.3 ppc
-S.u.S.E. Linux 7.3 sparc
-S.u.S.E. Linux Connectivity Server
-S.u.S.E. Linux Database Server
-S.u.S.E. Linux Enterprise Server 7
-S.u.S.E. Linux Firewall on CD
-S.u.S.E. Office Server
-S.u.S.E. SuSE eMail Server III
OpenSSL 0.9.6 a
-Conectiva Linux 7.0
-NetBSD 1.5
-NetBSD 1.5.1
-NetBSD 1.5.2
-NetBSD 1.5.3
-S.u.S.E. Linux 7.1
-S.u.S.E. Linux 7.1 alpha
-S.u.S.E. Linux 7.1 ppc
-S.u.S.E. Linux 7.1 sparc
-S.u.S.E. Linux 7.2 i386
OpenSSL 0.9.6
-Caldera OpenLinux Server 3.1
-Caldera OpenLinux Server 3.1.1
-Caldera OpenLinux Workstation 3.1
-Caldera OpenLinux Workstation 3.1.1
-Conectiva Linux 6.0
-EnGarde Secure Linux 1.0.1
-HP Secure OS software for Linux 1.0
-MandrakeSoft Linux Mandrake 8.0
-MandrakeSoft Linux Mandrake 8.0 ppc
-NetBSD 1.5
-NetBSD 1.5.1
-NetBSD 1.5.2
-NetBSD 1.5.3
-NetBSD 1.6
-OpenBSD 2.9
-OpenPKG 1.0
-RedHat Linux 7.0 alpha
-RedHat Linux 7.0 i386
-RedHat Linux 7.0 sparc
-RedHat Linux 7.1 alpha
-RedHat Linux 7.1 i386
-RedHat Linux 7.2 alpha
-RedHat Linux 7.2 i386
-RedHat Linux 7.3
-RedHat Linux 7.3 i386
-Trustix Secure Linux 1.1
-Trustix Secure Linux 1.2
-Trustix Secure Linux 1.5
OpenSSL 0.9.7 beta3
OpenSSL 0.9.7 beta2
OpenSSL 0.9.7 beta1
OpenSSL 0.9.7
-FreeBSD 5.0
-OpenBSD 3.2
-OpenPKG 1.2


Not vulnerable:
HP Apache-Based Web Server 1.3.27 .01
-HP-UX 11.0
-HP-UX 11.11
-HP-UX 11.20
-HP-UX 11.22
HP HP-UX Apache-Based Web Server 1.0.01.01
-HP-UX 11.0
-HP-UX 11.11
-HP-UX 11.20
-HP-UX 11.22
OpenSSL 0.9.6 i
OpenSSL 0.9.7 a
-OpenPKG Current

Solution:
Fixes are available from OS distributer's site.

Discovered by:
Brice Canvel,
Alain Hiltgen,
Serge Vaudenay,
Martin Vuagnoux


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »