CVE-1999-0428 in OpenSSL
Summary
by MITRE
OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/19/2026
The vulnerability described in CVE-1999-0428 represents a critical flaw in the SSL/TLS implementation of both OpenSSL and SSLeay cryptographic libraries that was discovered in the late 1990s. This weakness specifically targets the session resumption mechanism within the SSL protocol, which is designed to improve performance by allowing clients and servers to reuse previously established session parameters without repeating the full handshake process. The vulnerability enables remote attackers to exploit improper session management controls, potentially allowing unauthorized access to protected resources that should require authentication and authorization.
The technical flaw manifests in the way these cryptographic libraries handle SSL session identifiers and tickets during the session resumption process. When a client establishes an SSL connection with a server, the server typically generates a session identifier that the client can reuse in subsequent connections to avoid the computational overhead of full key exchange operations. However, the vulnerability in OpenSSL and SSLeay allows attackers to manipulate or reuse these session identifiers in ways that bypass the normal access control mechanisms that should prevent unauthorized connections. This occurs because the libraries fail to properly validate session parameters or maintain adequate session state management, creating opportunities for session hijacking attacks where an attacker can impersonate a legitimate user.
The operational impact of this vulnerability extends beyond simple session reuse, as it fundamentally undermines the security model of SSL/TLS connections. Attackers who successfully exploit this weakness can potentially access protected resources without proper authentication, as the reused sessions may carry credentials or access tokens that should be bound to specific authenticated sessions. This vulnerability particularly affects web servers, email servers, and other network services that rely on SSL/TLS for secure communications, potentially allowing unauthorized access to sensitive data, confidential communications, and protected system resources. The implications are significant for organizations relying on these cryptographic libraries for their security infrastructure, as the vulnerability could enable persistent unauthorized access to critical systems.
This vulnerability aligns with CWE-305, which addresses authentication flaws in cryptographic implementations, and relates to ATT&CK technique T1566 for credential harvesting and T1071 for application layer protocol usage. Organizations should implement immediate mitigations including updating to patched versions of OpenSSL and SSLeay, disabling session resumption where possible, and implementing additional access control measures. Network administrators should monitor for unusual session reuse patterns and consider implementing session timeout mechanisms that prevent long-lived session identifiers from being exploited. The vulnerability also highlights the importance of proper cryptographic library maintenance and the need for regular security assessments of SSL/TLS implementations in production environments. Organizations should also consider implementing additional security controls such as multi-factor authentication and network segmentation to reduce the impact of potential session reuse attacks.