CVE-2010-4180 — MEDIUM (4.3)

Q: How severe is CVE-2010-4180?

CVE-2010-4180 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2010-4180?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux, Opensuse Opensuse.

Vulnerability Description

OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.

CVSS Score

4.3

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N

Confidentiality

NONE

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Openssl	Openssl	< 0.9.8q
Fedoraproject	Fedora	13
Debian	Debian Linux	5.0
Canonical	Ubuntu Linux	6.06
Opensuse	Opensuse	11.1
Suse	Linux Enterprise	11.0
Suse	Linux Enterprise Desktop	10
Suse	Linux Enterprise Server	9
F5	Nginx	< 0.9.2

References

http://cvs.openssl.org/chngview?cn=20131Broken LinkPatch
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777Broken Link
http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.htmlBroken LinkMailing ListThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.hMailing ListThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.hMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.htmlMailing ListThird Party Advisory
http://marc.info/?l=bugtraq&m=129916880600544&w=2Issue TrackingThird Party Advisory
http://marc.info/?l=bugtraq&m=130497251507577&w=2Issue TrackingThird Party Advisory
http://marc.info/?l=bugtraq&m=132077688910227&w=2Issue TrackingThird Party Advisory
http://openssl.org/news/secadv_20101202.txtPatchThird Party Advisory
http://osvdb.org/69565Broken Link
http://secunia.com/advisories/42469Not Applicable

FAQ

What is CVE-2010-4180?

CVE-2010-4180 is a vulnerability with a CVSS score of 4.3 (MEDIUM). OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows re...

How severe is CVE-2010-4180?

CVE-2010-4180 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2010-4180?

Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Fedoraproject Fedora, Debian Debian Linux, Canonical Ubuntu Linux, Opensuse Opensuse.