Rapid7 Vulnerability & Exploit Database

Huawei EulerOS: CVE-2021-3449: openssl security update

Back to Search

Huawei EulerOS: CVE-2021-3449: openssl security update

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
Published
03/25/2021
Created
07/02/2021
Added
07/02/2021
Modified
07/02/2021

Description

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j).

Solution(s)

  • huawei-euleros-2_0_sp9-upgrade-openssl
  • huawei-euleros-2_0_sp9-upgrade-openssl-libs
  • huawei-euleros-2_0_sp9-upgrade-openssl-perl

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;