Vulnerability CVE-2002-0657 - CERT Civis.Net

Vulnerability Name:

CVE-2002-0657 (CCN-9715)

Assigned:

2002-07-30

Published:

2002-07-30

Updated:

2008-09-10

Summary:

Buffer overflow in OpenSSL 0.9.7 before 0.9.7-beta3, with Kerberos enabled, allows attackers to execute arbitrary code via a long master key.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: CALDERA
Type: UNKNOWN
CSSA-2002-033.0

Source: CALDERA
Type: UNKNOWN
CSSA-2002-033.1

Source: CCN
Type: FreeBSD Security Advisory FreeBSD-SA-02:33.openssl
openssl contains multiple vulnerabilities

Source: FREEBSD
Type: UNKNOWN
FreeBSD-SA-02:33

Source: CCN
Type: Caldera International, Inc. Security Advisory CSSA-2002-033.1
Linux: REVISED: multiple vulnerabilities in openssl

Source: CCN
Type: BugTraq Mailing List, Tue Jul 30 2002 - 05:15:00 CDT
OpenSSL patches for other versions

Source: CCN
Type: BugTraq Mailing List, Thu Oct 03 2002 - 14:37:31 CDT
Cisco Secure Content Accelerator vulnerable to SSL worm

Source: MITRE
Type: CNA
CVE-2002-0657

Source: CONECTIVA
Type: UNKNOWN
CLA-2002:513

Source: CCN
Type: Compaq SECURITY BULLETIN SRB0036W
SSRT2310a HP Tru64 UNIX & HP OpenVMS Potential OpenSSL Security Vulnerability

Source: CCN
Type: CERT Advisory CA-2002-23
Multiple Vulnerabilities In OpenSSL

Source: CERT
Type: Patch, Third Party Advisory, US Government Resource
CA-2002-23

Source: CCN
Type: CIAC Information Bulletin M-103
Multiple Vulnerabilities in OpenSSL

Source: DEBIAN
Type: DSA-136
openssl -- multiple remote exploits

Source: XF
Type: UNKNOWN
openssl-ssl3-masterkey-bo(9715)

Source: CCN
Type: US-CERT VU#561275
OpenSSL servers contain a remotely exploitable buffer overflow vulnerability during the SSL3 handshake process

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#561275

Source: MANDRAKE
Type: UNKNOWN
MDKSA-2002:046

Source: CCN
Type: EnGarde Secure Linux Security Advisory ESA-20020730-019
Several vulnerabilities in the openssl library

Source: CCN
Type: National Infrastructure Protection Center Advisory 02-006
OpenSSL Vulnerability

Source: CCN
Type: OpenPKG-SA-2002.008
OpenSSL

Source: CCN
Type: OpenSSL Project Web site
OpenSSL: The Open Source toolkit for SSL/TLS

Source: CCN
Type: OpenSSL Security Advisory [30 July 2002]
Vulnerabilities in OpenSSL versions before 0.9.6e

Source: CCN
Type: OSVDB ID: 3942
OpenSSL SSLv3 with Kerberos Master Key Overflow

Source: CCN
Type: BID-5353
Multiple OpenSSL Remote Buffer Overflow Vulnerabilities

Source: BID
Type: UNKNOWN
5361

Source: CCN
Type: BID-5361
OpenSSL Kerberos Enabled SSLv3 Master Key Exchange Buffer Overflow Vulnerability

Source: CCN
Type: Trustix Secure Linux Security Advisory #2002-0063
openssl

Source: XF
Type: UNKNOWN
openssl-ssl3-masterkey-bo(9715)

Vulnerable Configuration:

Configuration 1:

cpe:/a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:openssl:openssl:0.9.7:*:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.7:beta1:*:*:*:*:*:*

OR cpe:/a:openssl:openssl:0.9.7:beta2:*:*:*:*:*:*

AND

cpe:/o:redhat:linux:6.2:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:2.2:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:7.1:*:*:*:*:*:*:*

OR cpe:/o:trustix:secure_linux:1.1:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:7.2:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:1.0.1:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*

OR cpe:/o:trustix:secure_linux:1.2:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:trustix:secure_linux:1.5:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*

OR cpe:/o:engardelinux:secure_linux:-:*:*:*:*:*:*:*

OR cpe:/a:openpkg:openpkg:1.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.0:*:*:*:*:*:*:*

OR cpe:/a:openpkg:openpkg:current:*:*:*:*:*:*:*

OR cpe:/o:hp:openvms:*:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_server:1.0.2.2:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:8.0:*:ppc:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:8.1:*:ia64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:8.2:*:ppc:*:*:*:*:*

OR cpe:/a:oracle:application_server:1.0.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:application_server:1.0.2.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.debian:def:136	V	multiple remote exploits	2002-07-30