Vigil@nce - OpenSSL: denial of service via DTLS Window
October 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can send a DTLS packet with a large sequence number to
an application compiled with OpenSSL, in order to trigger a denial
of service.
– Impacted products: Blue Coat CAS, ProxyAV, ProxySG, SGOS, Cisco
ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility
Client, Cisco ACE, ASA, AsyncOS, Cisco Catalyst, Cisco Content
SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, Cisco IPS, Nexus by
Cisco, NX-OS, Cisco Prime Access Registrar, Prime Infrastructure,
Cisco Router, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco IP
Phone, Cisco MeetingPlace, Cisco Wireless Controller, Debian,
Fedora, FileZilla Server, FreeBSD, FreeRADIUS, Juniper J-Series,
JUNOS, Junos Space, NSM Central Manager, NSMXpress, NetScreen
Firewall, ScreenOS, OpenSSL, openSUSE, openSUSE Leap, Solaris,
pfSense, RHEL, Slackware, stunnel, SUSE Linux Enterprise Desktop,
SLES, Synology DS***, Synology RS***, Ubuntu, Wind River Linux.
– Severity: 2/4.
– Creation date: 24/08/2016.
DESCRIPTION OF THE VULNERABILITY
The OpenSSL library implements DTLS (Datagram Transport Layer
Security, for example on UDP).
In order to manage replays, OpenSSL uses a sliding window
containing accepted sequence numbers. However, if an attacker
sends a packet with a large sequence number, the window is moved,
and legitimate packets thus have numbers before the beginning of
the window, and are rejected.
An attacker can therefore send a DTLS packet with a large sequence
number to an application compiled with OpenSSL, in order to
trigger a denial of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/OpenSSL-denial-of-service-via-DTLS-Window-20458