CVE-2009-1386

OpenSSL < 0.9.8i - Denial of Service via DTLS ChangeCipherSpec Packet

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-1386. PoCs published by Jon Oberheide, including Metasploit module auxiliary/dos/ssl/dtls_changecipherspec.

AI-analyzed exploit summary This exploit sends a malformed DTLS ChangeCipherSpec packet to trigger a segmentation fault in OpenSSL versions prior to 0.9.8i. It constructs a UDP packet with a specific payload and sends it to the target server, causing a denial of service.

Description

ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Jon Oberheide · cdosmultiple
https://www.exploit-db.com/exploits/8873

This exploit sends a malformed DTLS ChangeCipherSpec packet to trigger a segmentation fault in OpenSSL versions prior to 0.9.8i. It constructs a UDP packet with a specific payload and sends it to the target server, causing a denial of service.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: OpenSSL < 0.9.8i
No auth needed
Prerequisites: Network access to the target DTLS server · Target server running a vulnerable version of OpenSSL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/ssl/dtls_changecipherspec.rb

This Metasploit module exploits a Denial of Service (DoS) vulnerability in OpenSSL versions 0.9.8i and earlier by sending a malformed DTLS ChangeCipherSpec datagram before a ClientHello, causing the service to crash.

Classification
Working Poc 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: OpenSSL 0.9.8i and earlier
No auth needed
Prerequisites: Network access to the target · OpenSSL DTLS service running on the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (21)

Core 21
Core References
Not Applicable, Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38794
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://lists.vmware.com/pipermail/security-announce/2010/000082.html
Not Applicable, Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35729
Broken Link, Patch, Third Party Advisory x_refsource_confirm
http://cvs.openssl.org/chngview?cn=17369
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2009/06/02/1
Third Party Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2009-1335.html
Broken Link, Third Party Advisory vendor-advisory x_refsource_hp
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02029444
Not Applicable, Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/36533
Broken Link, Tool Signature vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11179
Third Party Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-792-1
Broken Link, Tool Signature vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7469
Third Party Advisory, Vendor Advisory x_refsource_confirm
http://rt.openssl.org/Ticket/Display.html?id=1679&user=guest&pass=guest
Broken Link, Third Party Advisory vendor-advisory x_refsource_netbsd
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2009-009.txt.asc
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/38834
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/50963
Not Applicable, Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35685
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/8873
Not Applicable, Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35571
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
Broken Link, Exploit, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35174
Permissions Required, Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/0528

Scores

EPSS 0.4763
EPSS Percentile 97.8%

Details

CWE
CWE-476
Status published
Products (8)
canonical/ubuntu_linux 6.06
canonical/ubuntu_linux 8.04
canonical/ubuntu_linux 8.10
canonical/ubuntu_linux 9.04
openssl/openssl 0.9.8 - 0.9.8i
redhat/openssl 0.9.6-15
redhat/openssl 0.9.6b-3
redhat/openssl 0.9.7a-2
Published Jun 04, 2009
Tracked Since Feb 18, 2026