Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Metasploit now includes module to exploit CVE-2014-0195 (OpenSSL DTLS Fragment Vuln.) - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Metasploit now includes module to exploit CVE-2014-0195 (OpenSSL DTLS Fragment Vuln.)

The latest release of Metasploit released today includes a module to ease exploitation of CVE-2014-0195. This vulnerability in the DTLS implementation of OpenSSL was patch last week and didn't get the attention the MitM vulnerability got that was patched at the same time. It is absolutely critical that you patch and/or firewall your DTLS services. This is complicated buy the fact that many of them are part of embeded devices like routers and switches (SNMPv3) or VoIP systems. Your web servers are NOT affected by this.

The Metasploit module in its current form does NOT allow for code execution, but instead will just crash the service. The vulnerablity could however be used to execute code on the target device.

Here again a quick rundown of possibly affected protocols:

SNMPv3 (161/UDP), LDAP over SSL (636/UDP), DTLS-SRP (VoIP, WebRTC, various ports), OpenVPN (1194/UDP) 

DTLS uses UDP over various ports. Some of the protocols listed above, e.g. DTLS-SRP, use various ports that are negotiated between the endpoints dynamically. DTLS can also use port 4433 for some applications.

[1] http://www.rapid7.com/db/modules/auxiliary/dos/ssl/dtls_fragment_overflow

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3537 Posts
ISC Handler
ASA firmware probably incorporates openssl 0.98

DTLS data channel with TLS session control channel
enabled by default with Anyconnect active

# to disable
configure terminal
webvpn
enable outside tls-only # per-interface
exit
exit
Anonymous

Sign Up for Free or Log In to start participating in the conversation!