• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

OpenSSL SSLv2 Client_Master_Key Remote Denial Of Service Vulnerability

OpenSSL SSLv2 has been reported prone to a remotely triggered denial of service when processing a specially crafted malicious CLIENT_MASTER_KEY message.

It has been reported that a remote attacker may use a maliciously crafted CLIENT_MASTER_KEY message to influence the execution flow of a vulnerable service implmenting SSLv2 into a die() procedure. This will effectively cause the affected process to abort, denying service to legitimate users.

This vulnerability is not reported to be present in OpenSSL versions greater than 0.9.6f of the 0.9.6 series of releases, because the use of the die() procedure is no longer implemented. It is not known whether the 0.9.7 series is also affected.