CVE-2009-1378

Openssl < 0.9.8m - Memory Leak

Title source: rule

Description

Multiple memory leaks in the dtls1_process_out_of_seq_message function in ssl/d1_both.c in OpenSSL 0.9.8k and earlier 0.9.8 versions allow remote attackers to cause a denial of service (memory consumption) via DTLS records that (1) are duplicates or (2) have sequence numbers much greater than current sequence numbers, aka "DTLS fragment handling memory leak."

Exploits (1)

exploitdb WORKING POC VERIFIED

by Jon Oberheide · cdosmultiple

https://www.exploit-db.com/exploits/8720

View Code ZIP pw:eip

References (37)

[Broken Link, Third Party Advisory] ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc

[Broken Link, Patch, Vendor Advisory] http://cvs.openssl.org/chngview?cn=18188

[Broken Link, Third Party Advisory] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.html

[Third Party Advisory] http://lists.vmware.com/pipermail/security-announce/2010/000082.html

[Mailing List, Patch, Third Party Advisory] http://marc.info/?l=openssl-dev&m=124247679213944&w=2

[Exploit, Mailing List, Third Party Advisory] http://marc.info/?l=openssl-dev&m=124263491424212&w=2

[Broken Link, Third Party Advisory] http://rt.openssl.org/Ticket/Display.html?id=1931&user=guest&pass=guest

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/35128

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/35416

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/35461

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/35571

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/35729

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/36533

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/37003

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/38761

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/38794

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/38834

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/42724

[Not Applicable, Third Party Advisory] http://secunia.com/advisories/42733

... and 17 more

Scores

EPSS 0.1325

EPSS Percentile 94.2%

Details

CWE

CWE-401

Status published

Products (5)

canonical/ubuntu_linux 6.06

canonical/ubuntu_linux 8.04

canonical/ubuntu_linux 8.10

canonical/ubuntu_linux 9.04

openssl/openssl 0.9.8 - 0.9.8m

Published May 19, 2009

Tracked Since Feb 18, 2026