National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2010-0433 Detail

Description

The kssl_keytab_is_available function in ssl/kssl.c in OpenSSL before 0.9.8n, when Kerberos is enabled but Kerberos configuration files cannot be opened, does not check a certain return value, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via SSL cipher negotiation, as demonstrated by a chroot installation of Dovecot or stunnel without Kerberos configuration files inside the chroot.

Source:  MITRE      Last Modified:  03/05/2010

Quick Info

CVE Dictionary Entry:
CVE-2010-0433
Original release date:
03/05/2010
Last revised:
09/18/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
4.3 MEDIUM
Vector:
(AV:N/AC:M/Au:N/C:N/I:N/A:P) (legend)
Impact Subscore:
2.9
Exploitability Subscore:
8.6
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Medium
Authentication:
Not required to exploit
Impact Type:
Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc External Source CONFIRM http://aix.software.ibm.com/aix/efixes/security/openssl_advisory.asc
http://cvs.openssl.org/chngview?cn=19374 External Source CONFIRM http://cvs.openssl.org/chngview?cn=19374
http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/c3e1ab0034ca4b4c/66aa896c3a78b2f7 External Source MISC http://groups.google.com/group/mailing.openssl.users/browse_thread/thread/c3e1ab0034ca4b4c/66aa896c3a78b2f7
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038587.html External Source FEDORA FEDORA-2010-5744
http://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html External Source FEDORA FEDORA-2010-5357
http://marc.info/?l=bugtraq&m=127128920008563&w=2 External Source HP SSRT100058
http://marc.info/?l=bugtraq&m=127557640302499&w=2 External Source HP SSRT100108
http://www.mail-archive.com/dovecot@dovecot.org/msg26224.html External Source MLIST [dovecot] 20100219 segfault - (imap|pop3)-login during nessus scan
http://www.mandriva.com/security/advisories?name=MDVSA-2010:076 External Source MANDRIVA MDVSA-2010:076
http://www.openssl.org/news/changelog.html External Source CONFIRM http://www.openssl.org/news/changelog.html
http://www.openwall.com/lists/oss-security/2010/03/03/5 External Source MLIST [oss-security] 20100303 OpenSSL (with KRB5) remote crash - CVE-2010-0433
http://www.securityfocus.com/archive/1/archive/1/516397/100/0/threaded External Source BUGTRAQ 20110211 VMSA-2011-0003 Third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX
http://www.vmware.com/security/advisories/VMSA-2011-0003.html External Source CONFIRM http://www.vmware.com/security/advisories/VMSA-2011-0003.html
http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html External Source CONFIRM http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
http://www.vupen.com/english/advisories/2010/0839 External Source VUPEN ADV-2010-0839
http://www.vupen.com/english/advisories/2010/0916 External Source VUPEN ADV-2010-0916
http://www.vupen.com/english/advisories/2010/0933 External Source VUPEN ADV-2010-0933
http://www.vupen.com/english/advisories/2010/1216 External Source VUPEN ADV-2010-1216
https://bugzilla.redhat.com/show_bug.cgi?id=567711 External Source CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=567711
https://bugzilla.redhat.com/show_bug.cgi?id=569774 External Source CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=569774
https://kb.bluecoat.com/index?page=content&id=SA50 External Source CONFIRM https://kb.bluecoat.com/index?page=content&id=SA50
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000101.html External Source MLIST [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.0.6a has been released
https://lists.balabit.com/pipermail/syslog-ng-announce/2011-January/000102.html External Source MLIST [syslog-ng-announce] 20110110 syslog-ng Premium Edition 3.2.1a has been released
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12260 External Source OVAL oval:org.mitre.oval:def:12260
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6718 External Source OVAL oval:org.mitre.oval:def:6718
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9856 External Source OVAL oval:org.mitre.oval:def:9856

References to Check Content

Identifier:
oval:org.mitre.oval:def:12260
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:12260
Identifier:
oval:org.mitre.oval:def:6718
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6718
Identifier:
oval:org.mitre.oval:def:9856
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9856

Technical Details

Vulnerability Type (View All)

Change History 3 change records found - show changes