ID CVE-2007-5135
Summary Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.
References
Vulnerable Configurations
  • cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7:beta3:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7:beta4:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7:beta4:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7:beta5:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7:beta5:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7:beta6:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7:beta6:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.7l:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.7l:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*
CVSS
Base: 6.8 (as of 15-10-2018 - 21:40)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2013-04-29T04:09:52.329-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.
    family unix
    id oval:org.mitre.oval:def:10904
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.
    version 24
  • accepted 2008-03-24T04:00:43.411-04:00
    class vulnerability
    contributors
    name Pai Peng
    organization Hewlett-Packard
    definition_extensions
    • comment Solaris 10 (SPARC) is installed
      oval oval:org.mitre.oval:def:1440
    • comment Solaris 10 (x86) is installed
      oval oval:org.mitre.oval:def:1926
    description Off-by-one error in the SSL_get_shared_ciphers function in OpenSSL 0.9.7 up to 0.9.7l, and 0.9.8 up to 0.9.8f, might allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. NOTE: this issue was introduced as a result of a fix for CVE-2006-3738. As of 20071012, it is unknown whether code execution is possible.
    family unix
    id oval:org.mitre.oval:def:5337
    status accepted
    submitted 2008-02-14T08:25:18.000-05:00
    title Security Vulnerability in Solaris 10 OpenSSL SSL_get_shared_ciphers() Function
    version 31
redhat via4
advisories
  • bugzilla
    id 309801
    title CVE-2007-5135 openssl SSL_get_shared_ciphers() off-by-one
    oval
    AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhba:tst:20070026001
    • OR
      • AND
        • comment openssl is earlier than 0:0.9.7a-33.24
          oval oval:com.redhat.rhsa:tst:20070813002
        • comment openssl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060695003
      • AND
        • comment openssl-devel is earlier than 0:0.9.7a-33.24
          oval oval:com.redhat.rhsa:tst:20070813004
        • comment openssl-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060695005
      • AND
        • comment openssl-perl is earlier than 0:0.9.7a-33.24
          oval oval:com.redhat.rhsa:tst:20070813006
        • comment openssl-perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060695007
    rhsa
    id RHSA-2007:0813
    released 2007-10-22
    severity Moderate
    title RHSA-2007:0813: openssl security update (Moderate)
  • bugzilla
    id 321191
    title CVE-2007-4995 openssl dtls out of order vulnerabilitiy
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment openssl is earlier than 0:0.9.8b-8.3.el5_0.2
          oval oval:com.redhat.rhsa:tst:20070964002
        • comment openssl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070964003
      • AND
        • comment openssl-devel is earlier than 0:0.9.8b-8.3.el5_0.2
          oval oval:com.redhat.rhsa:tst:20070964004
        • comment openssl-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070964005
      • AND
        • comment openssl-perl is earlier than 0:0.9.8b-8.3.el5_0.2
          oval oval:com.redhat.rhsa:tst:20070964006
        • comment openssl-perl is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20070964007
    rhsa
    id RHSA-2007:0964
    released 2007-10-12
    severity Important
    title RHSA-2007:0964: openssl security update (Important)
  • bugzilla
    id 309801
    title CVE-2007-5135 openssl SSL_get_shared_ciphers() off-by-one
    oval
    AND
    • comment Red Hat Enterprise Linux 4 is installed
      oval oval:com.redhat.rhba:tst:20070304001
    • OR
      • AND
        • comment openssl is earlier than 0:0.9.7a-43.17.el4_6.1
          oval oval:com.redhat.rhsa:tst:20071003002
        • comment openssl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060695003
      • AND
        • comment openssl-devel is earlier than 0:0.9.7a-43.17.el4_6.1
          oval oval:com.redhat.rhsa:tst:20071003004
        • comment openssl-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060695005
      • AND
        • comment openssl-perl is earlier than 0:0.9.7a-43.17.el4_6.1
          oval oval:com.redhat.rhsa:tst:20071003006
        • comment openssl-perl is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20060695007
    rhsa
    id RHSA-2007:1003
    released 2007-11-15
    severity Moderate
    title RHSA-2007:1003: openssl security and bug fix update (Moderate)
rpms
  • openssl-0:0.9.7a-33.24
  • openssl-devel-0:0.9.7a-33.24
  • openssl-perl-0:0.9.7a-33.24
  • openssl-0:0.9.8b-8.3.el5_0.2
  • openssl-devel-0:0.9.8b-8.3.el5_0.2
  • openssl-perl-0:0.9.8b-8.3.el5_0.2
  • openssl-0:0.9.7a-43.17.el4_6.1
  • openssl-devel-0:0.9.7a-43.17.el4_6.1
  • openssl-perl-0:0.9.7a-43.17.el4_6.1
refmap via4
apple APPLE-SA-2008-07-31
bid 25831
bugtraq
  • 20070927 OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow
  • 20071001 Re: OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow
  • 20071003 FLEA-2007-0058-1 openssl openssl-scripts
  • 20071004 Re: OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow
  • 20080108 VMSA-2008-0001 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
  • 20080123 UPDATED VMSA-2008-0001.1 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
confirm
debian DSA-1379
fedora FEDORA-2007-725
freebsd FreeBSD-SA-07:08
gentoo
  • GLSA-200710-06
  • GLSA-200805-07
hp
  • HPSBUX02292
  • SSRT071499
mandriva MDKSA-2007:193
misc https://bugs.gentoo.org/show_bug.cgi?id=194039
mlist [Security-announce] 20080107 VMSA-2008-0001 Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packages
netbsd NetBSD-SA2008-007
openbsd
  • [4.0] 017: SECURITY FIX: October 10, 2007
  • [4.1] 011: SECURITY FIX: October 10, 2007
  • [4.2] 002: SECURITY FIX: October 10, 2007
sectrack 1018755
secunia
  • 22130
  • 27012
  • 27021
  • 27031
  • 27051
  • 27078
  • 27097
  • 27186
  • 27205
  • 27217
  • 27229
  • 27330
  • 27394
  • 27851
  • 27870
  • 27961
  • 28368
  • 29242
  • 30124
  • 30161
  • 31308
  • 31326
  • 31467
  • 31489
sreason 3179
sunalert
  • 103130
  • 200858
suse
  • SUSE-SR:2007:020
  • SUSE-SR:2008:005
ubuntu USN-522-1
vupen
  • ADV-2007-3325
  • ADV-2007-3625
  • ADV-2007-4042
  • ADV-2007-4144
  • ADV-2008-0064
  • ADV-2008-2268
  • ADV-2008-2361
  • ADV-2008-2362
xf openssl-sslgetshared-bo(36837)
Last major update 15-10-2018 - 21:40
Published 27-09-2007 - 20:17
Back to Top