CVE-2010-4180
MEDIUM severity · CVSS 4.3
4.3CVSS MEDIUM
Summary
OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
Impact & exploitability
Attack vectorNetwork
Attack complexity—
Privileges required—
User interaction—
Confidentiality impactNone
Integrity impact—
Availability impactNone
Exploit probability (EPSS)9%
AV:N/AC:M/Au:N/C:N/I:P/A:N
Affected products we track (7)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: http://cvs.openssl.org/chngview?cn=20131 ↗
Additional information
- NVD record
- http://cvs.openssl.org/chngview?cn=20131Patch
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777
- http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.htmlAdvisory