FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- OpenSSL Remote DoS vulnerability

Affected packages
10.3 <= FreeBSD < 10.3_12
10.2 <= FreeBSD < 10.2_25
10.1 <= FreeBSD < 10.1_42
9.3 <= FreeBSD < 9.3_50
openssl < 1.0.2i,1
openssl-devel < 1.1.0a
linux-c6-openssl < 1.0.1e_13
linux-c7-openssl-libs < 1.0.1e_3

Details

VuXML ID 0fcd3af0-a0fe-11e6-b1cf-14dae9d210b8
Discovery 2016-11-02
Entry 2016-11-02
Modified 2017-02-22

Problem Description:

Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.

Impact:

A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.

References

CVE Name CVE-2016-8610
FreeBSD Advisory SA-16:35.openssl
URL http://seclists.org/oss-sec/2016/q4/224