SSL: Client Master Key Overflow
This protocol anomaly is a client master key length in the CLIENT_MASTER_KEY message that exceeds 8 bytes.
Extended Description
A buffer-overflow vulnerability has been reported in some versions of OpenSSL. The issue occurs in the handling of the client key value during the negotiation of the SSLv2 protocol. A malicious client may be able to exploit this vulnerability to execute arbitrary code as the vulnerable server process or possibly to create a denial-of-service condition. ***UPDATE: A worm that likely exploits this vulnerability has been discovered propagating in the wild. Additionally, this code includes peer-to-peer and distributed denial-of-service capabilities. There have been numerous reports of intrusions in Europe. It is not yet confirmed whether this vulnerability is in OpenSSL, mod_ssl, or another component. Administrators are advised to upgrade to the most recent versions or to disable Apache, if possible, until more information is available.
Affected Products
Sonicwall ssl-r6,Hp tcp/ip_services_for_openvms,Openssl_project openssl
Short Name
SSL:CLNT-MSTR-KEY-OVERFLOW
Severity
Major
Recommended
True
Recommended Action
Drop
Category
SSL
Keywords
CA-2002-27 CVE-2002-0656 bid:5363
Release Date
02/10/2004
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3339
False Positive
Unknown
Vendors
Apache_software_foundation
Secure_computing
Cisco
Apple
Gentoo
Juniper_networks
Hp
Ibm
Rsa_security
Sonicwall
Novell
Oracle
Covalent
Openssl_project
CVSS Score
7.5