virus logo FortiClient Vulnerability

OpenSSL CVE-2016-2179 Denial of Service Vulnerability

description-logoDescription

Severity: LowIn a DTLS connection where handshake messages are delivered out-of-order thosemessages that OpenSSL is not yet ready to process will be buffered for lateruse. Under certain circumstances, a flaw in the logic means that those messagesdo not get removed from the buffer even though the handshake has been completed.An attacker could force up to approx. 15 messages to remain in the buffer whenthey are no longer required. These messages will be cleared when the DTLSconnection is closed. The default maximum size for a message is 100k. Thereforethe attacker could force an additional 1500k to be consumed per connection. Byopening many simulataneous connections an attacker could cause a DoS attackthrough memory exhaustion.OpenSSL 1.0.2 DTLS users should upgrade to 1.0.2iOpenSSL 1.0.1 DTLS users should upgrade to 1.0.1uThis issue was reported to OpenSSL on 22nd June 2016 by Quan Luo. The fix wasdeveloped by Matt Caswell of the OpenSSL development team.

affected-products-logoAffected Applications

OpenSSL

CVE References

CVE-2016-2179

Other References

https://www.openssl.org/news/vulnerabilities.html
ID 39870
Created Jan 17, 2020
Description
Updated		 Dec 19, 2023
Risk black-background-circle-icon black-background-circle-icon black-background-circle-icon black-background-circle-icon lightgray-background-circle-icon
Coverage FortiClient
OS Linux
Vendor OpenSSL
Patch manual
Application OpenSSL