Denial of Service Vulnerability in OpenSSL Versions Affected by Kerberos Ciphersuites
CVE-2004-0112

Currently unrated

Key Information:

Vendor: Cisco
Status: Firewall Services Module; Clientless Vpn Gateway 4400; Apache-based Web Server; Aaa Server
Vendor: CVE Published:; 23 November 2004

Summary

The SSL/TLS handshaking process in specific OpenSSL versions contains a flaw when using Kerberos ciphersuites. The vulnerability arises from improper length checks for Kerberos tickets, which can be exploited by attackers. By sending a carefully crafted SSL/TLS handshake, attackers can trigger an out-of-bounds read, leading to a denial of service condition, effectively crashing the application. This issue highlights the importance of ensuring secure handling of authentication tickets within cryptographic protocols.

References

http://www.securityfocus.com/bid/9899

vdb-entryx_refsource_BID

http://marc.info/?l=bugtraq&m=108403806509920&w=2

vendor-advisoryx_refsource_HP

http://www.redhat.com/support/errata/RHSA-2004-121.html

vendor-advisoryx_refsource_REDHAT

Timeline

Vulnerability published
Nov 23, 2004
Vulnerability Reserved
Feb 2, 2004