Secure Sockets Layer message denial of service (SSL_Hello_Msg_DoS)

About this signature or vulnerability

Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, RealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, BlackICE PC Protection, BlackICE Agent for Server, Proventia Network IDS, Proventia Desktop, Proventia-G 1.1 and earlier, IBM Security Server Protection for Windows, Proventia Network MFS, Virtual Server Protection for Vmware:

This signature detects a specially crafted SSL Hello Message that could DoS a SSL server.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, Proventia Server IPS for Linux technology: 1.0, RealSecure Desktop: baseline, RealSecure Server Sensor: XPU 22.16, RealSecure Network: XPU 22.16, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, BlackICE Agent for Server: 3.6eof, Proventia Network IDS: XPU 22.16, Proventia Desktop: 8.0.614.1, Proventia-G 1.1 and earlier: XPU 22.16, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 1.0.914.0, Proventia Network MFS: XPU 1.14, Virtual Server Protection for Vmware: 1.0

Systems affected

Microsoft Windows 2000, Microsoft Windows XP, Microsoft Windows 2003 Server

Type

Denial of Service

Vulnerability description

Multiple vendor applications are vulnerable to a denial of service. The Secure Sockets Layer (SSL) library fails to properly check user-supplied input in SSL messages. If SSL is enabled, a remote attacker could send a specially-crafted SSL message to the vulnerable system to cause a denial of service.

Note: On Microsoft Windows 2000 and Windows XP, an attacker could cause the system to stop accepting SSL connections. On Microsoft Windows Server 2003, an attacker could cause the affected system to restart automatically.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS04-011. See References.

References

Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

CIAC Information Bulletin O-114
Microsoft Security Update for Microsoft Windows
http://www.ciac.org/ciac/bulletins/o-114.shtml

CERT Vulnerability Note VU#150236
Microsoft Windows Secure Sockets Layer (SSL) library vulnerable to DoS
http://www.kb.cert.org/vuls/id/150236

Packet Storm Web Site
sslbomb.c
http://packetstormsecurity.nl/0404-exploits/sslbomb.c

Internet Security Systems Security Alert, April 13, 2004
Multiple Vulnerabilities in Microsoft Products
http://xforce.iss.net/xforce/alerts/id/169

CIAC Information Bulletin O-114
Microsoft Security Update for Microsoft Windows [REVISED 25 Jun 2004]
http://www.ciac.org/ciac/bulletins/o-114.shtml

IBM Internet Security Systems Protection Alert
Pushdo SSL DDoS Attacks
http://www.iss.net/threats/pushdoSSLDDoS.html

ISS X-Force
Secure Sockets Layer message denial of service
http://www.iss.net/security_center/static/15712.php

CVE
CVE-2004-0120
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0120