Think you have a false positive on this rule?

Sid 1-51344

Message

SERVER-OTHER OpenSSL TLS anomalous non-zero length session ticket in client hello

Summary

This event is generated when an anomalous non-zero length session ticket is sent in the TLS client hello.

Impact

Attempted Denial of Service

CVE-2014-3567:

CVSS base score 7.1

CVSS impact score 6.9

CVSS exploitability score 8.6

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

Detailed information

CVE-2014-3567: Memory leak in the tlsdecryptticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted session ticket that triggers an integrity-check failure.

Affected systems

  • openssl openssl 0.9.8zb
  • openssl openssl 1.0.0
  • openssl openssl 1.0.0a
  • openssl openssl 1.0.0b
  • openssl openssl 1.0.0c
  • openssl openssl 1.0.0d
  • openssl openssl 1.0.0e
  • openssl openssl 1.0.0f
  • openssl openssl 1.0.0g
  • openssl openssl 1.0.0h
  • openssl openssl 1.0.0i
  • openssl openssl 1.0.0j
  • openssl openssl 1.0.0k
  • openssl openssl 1.0.0l
  • openssl openssl 1.0.0m
  • openssl openssl 1.0.0n
  • openssl openssl 1.0.1
  • openssl openssl 1.0.1a
  • openssl openssl 1.0.1b
  • openssl openssl 1.0.1c
  • openssl openssl 1.0.1d
  • openssl openssl 1.0.1e
  • openssl openssl 1.0.1f
  • openssl openssl 1.0.1g
  • openssl openssl 1.0.1h
  • openssl openssl 1.0.1i

Ease of attack

CVE-2014-3567:

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

False positives

False negatives

Corrective action

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • www.openssl.org/news/secadv/20141015.txt