VuXML ID | Description |
d455708a-e3d3-11e6-9940-b499baebfeaf | OpenSSL -- multiple vulnerabilities
The OpenSSL project reports:
- Truncated packet could crash via OOB read (CVE-2017-3731)
- Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
- BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
- Montgomery multiplication may produce incorrect results (CVE-2016-7055)
Discovery 2017-01-26 Entry 2017-01-26 Modified 2017-05-26 openssl
< 1.0.2k,1
openssl-devel
< 1.1.0d
linux-c6-openssl
< 1.0.1e_13
linux-c7-openssl-libs
< 1.0.1e_3
FreeBSD
>= 11.0 lt 11.0_8
>= 10.3 lt 10.3_17
https://www.openssl.org/news/secadv/20170126.txt
CVE-2016-7055
CVE-2017-3730
CVE-2017-3731
CVE-2017-3732
SA-17:02.openssl
|
91a337d8-83ed-11e6-bf52-b499baebfeaf | OpenSSL -- multiple vulnerabilities
OpenSSL reports:
Critical vulnerability in OpenSSL 1.1.0a
Fix Use After Free for large message sizes (CVE-2016-6309)
Moderate vulnerability in OpenSSL 1.0.2i
Missing CRL sanity check (CVE-2016-7052)
Discovery 2016-09-26 Entry 2016-09-26 Modified 2016-10-10 openssl
< 1.0.2j,1
openssl-devel
< 1.1.0b
libressl
< 2.4.3
libressl-devel
< 2.4.3
FreeBSD
>= 11.0 lt 11.0_1
https://www.openssl.org/news/secadv/20160926.txt
CVE-2016-6309
CVE-2016-7052
SA-16:27.openssl
|
d778ddb0-2338-11ea-a1c7-b499baebfeaf | OpenSSL -- Overflow vulnerability
The OpenSSL project reports:
rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) (Low)
There is an overflow bug in the x64_64 Montgomery squaring procedure
used in exponentiation with 512-bit moduli. No EC algorithms are
affected. Analysis suggests that attacks against 2-prime RSA1024,
3-prime RSA1536, and DSA1024 as a result of this defect would be very
difficult to perform and are not believed likely. Attacks against
DH512 are considered just feasible. However, for an attack the target
would have to re-use the DH512 private key, which is not recommended
anyway. Also applications directly using the low level API BN_mod_exp
may be affected if they use BN_FLG_CONSTTIME.
Discovery 2019-12-06 Entry 2019-12-20 openssl
< 1.0.2u,1
https://www.openssl.org/news/secadv/20191206.txt
CVE-2019-1551
|
6f0529e2-2e82-11e6-b2ec-b499baebfeaf | OpenSSL -- vulnerability in DSA signing
The OpenSSL team reports:
Operations in the DSA signing algorithm should run in constant time
in order to avoid side channel attacks. A flaw in the OpenSSL DSA
implementation means that a non-constant time codepath is followed for
certain operations. This has been demonstrated through a cache-timing
attack to be sufficient for an attacker to recover the private DSA key.
Discovery 2016-06-09 Entry 2016-06-09 Modified 2016-12-20 openssl
< 1.0.2_13
libressl
< 2.2.9
>= 2.3.0 lt 2.3.6
libressl-devel
< 2.4.1
https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
CVE-2016-2178
|
43eaa656-80bc-11e6-bf52-b499baebfeaf | OpenSSL -- multiple vulnerabilities
OpenSSL reports:
High: OCSP Status Request extension unbounded memory growth
SSL_peek() hang on empty record
SWEET32 Mitigation
OOB write in MDC2_Update()
Malformed SHA512 ticket DoS
OOB write in BN_bn2dec()
OOB read in TS_OBJ_print_bio()
Pointer arithmetic undefined behaviour
Constant time flag not preserved in DSA signing
DTLS buffered message DoS
DTLS replay protection DoS
Certificate message OOB reads
Excessive allocation of memory in tls_get_message_header()
Excessive allocation of memory in dtls1_preprocess_fragment()
NB: LibreSSL is only affected by CVE-2016-6304
Discovery 2016-09-22 Entry 2016-09-22 Modified 2016-10-11 openssl-devel
>= 1.1.0 lt 1.1.0_1
openssl
< 1.0.2i,1
linux-c6-openssl
< 1.0.1e_11
FreeBSD
>= 10.3 lt 10.3_8
>= 10.2 lt 10.2_21
>= 10.1 lt 10.1_38
>= 9.3 lt 9.3_46
https://www.openssl.org/news/secadv/20160922.txt
CVE-2016-6304
CVE-2016-6305
CVE-2016-2183
CVE-2016-6303
CVE-2016-6302
CVE-2016-2182
CVE-2016-2180
CVE-2016-2177
CVE-2016-2178
CVE-2016-2179
CVE-2016-2181
CVE-2016-6306
CVE-2016-6307
CVE-2016-6308
SA-16:26.openssl
|
f40f07aa-c00f-11e7-ac58-b499baebfeaf | OpenSSL -- Multiple vulnerabilities
The OpenSSL project reports:
bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
Severity: Moderate
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that
attacks against RSA and DSA as a result of this defect would be
very difficult to perform and are not believed likely. Attacks
against DH are considered just feasible (although very difficult)
because most of the work necessary to deduce information about a
private key may be performed offline.
Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
Severity: Low
This issue was previously announced in security advisory
https://www.openssl.org/news/secadv/20170828.txt, but the fix has
not previously been included in a release due to its low severity.
Discovery 2017-11-02 Entry 2017-11-02 openssl
< 1.0.2m,1
openssl-devel
< 1.1.0g
https://www.openssl.org/news/secadv/20171102.txt
CVE-2017-3735
CVE-2017-3736
|
6f170cf2-e6b7-11e8-a9a8-b499baebfeaf | OpenSSL -- timing vulnerability
The OpenSSL project reports:
Microarchitecture timing vulnerability in ECC scalar
multiplication. Severity: Low
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has
been shown to be vulnerable to a microarchitecture timing side channel
attack. An attacker with sufficient access to mount local timing
attacks during ECDSA signature generation could recover the private
key.
Discovery 2018-11-12 Entry 2018-11-12 openssl
< 1.0.2p_2
https://www.openssl.org/news/secadv/20181112.txt
CVE-2018-5407
|
b7cff5a9-31cc-11e8-8f07-b499baebfeaf | OpenSSL -- multiple vulnerabilities
The OpenSSL project reports:
- Constructed ASN.1 types with a recursive definition could
exceed the stack (CVE-2018-0739)
Constructed ASN.1 types with a recursive definition (such as can be
found in PKCS7) could eventually exceed the stack given malicious input
with excessive recursion. This could result in a Denial Of Service
attack. There are no such structures used within SSL/TLS that come from
untrusted sources so this is considered safe.
- rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. This only
affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).
Discovery 2018-03-27 Entry 2018-03-27 openssl
< 1.0.2o,1
openssl-devel
< 1.1.0h
https://www.openssl.org/news/secadv/20180327.txt
CVE-2018-0739
CVE-2017-3738
|
c82ecac5-6e3f-11e8-8777-b499baebfeaf | OpenSSL -- Client DoS due to large DH parameter
The OpenSSL project reports:
During key agreement in a TLS handshake using a DH(E) based
ciphersuite a malicious server can send a very large prime value
to the client. This will cause the client to spend an unreasonably
long period of time generating a key for this prime resulting in a
hang until the client has finished. This could be exploited in a
Denial Of Service attack.
Discovery 2018-06-12 Entry 2018-06-12 Modified 2018-07-24 libressl
libressl-devel
< 2.6.5
>= 2.7.0 lt 2.7.4
openssl
< 1.0.2o_4,1
openssl-devel
< 1.1.0h_2
https://www.openssl.org/news/secadv/20180612.txt
CVE-2018-0732
|
0ca24682-3f03-11e6-b3c8-14dae9d210b8 | openssl -- denial of service
Mitre reports:
OpenSSL through 1.0.2h incorrectly uses pointer arithmetic
for heap-buffer boundary checks, which might allow remote attackers to
cause a denial of service (integer overflow and application crash) or
possibly have unspecified other impact by leveraging unexpected malloc
behavior, related to s3_srvr.c, ssl_sess.c, and t1_lib.c.
Discovery 2016-06-01 Entry 2016-06-30 openssl
< 1.0.2_14
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2177
ihttps://bugzilla.redhat.com/show_bug.cgi?id=1341705
https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/
CVE-2016-2177
|
7700061f-34f7-11e9-b95c-b499baebfeaf | OpenSSL -- Padding oracle vulnerability
The OpenSSL project reports:
0-byte record padding oracle (CVE-2019-1559) (Moderate)
If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive
one) then OpenSSL can respond differently to the calling application if
a 0 byte record is received with invalid padding compared to if a 0 byte
record is received with an invalid MAC. If the application then behaves
differently based on that in a way that is detectable to the remote peer,
then this amounts to a padding oracle that could be used to decrypt data.
Discovery 2019-02-19 Entry 2019-02-20 Modified 2019-03-07 openssl
< 1.0.2r,1
linux-c6-openssl
< 1.0.1e_16
https://www.openssl.org/news/secadv/20190226.txt
CVE-2019-1559
|
3bb451fc-db64-11e7-ac58-b499baebfeaf | OpenSSL -- multiple vulnerabilities
The OpenSSL project reports:
- Read/write after SSL object in error state (CVE-2017-3737)
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error
state" mechanism. The intent was that if a fatal error occurred
during a handshake then OpenSSL would move into the error state and
would immediately fail if you attempted to continue the handshake.
This works as designed for the explicit handshake functions
(SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to
a bug it does not work correctly if SSL_read() or SSL_write() is
called directly. In that scenario, if the handshake fails then a
fatal error will be returned in the initial function call. If
SSL_read()/SSL_write() is subsequently called by the application for
the same SSL object then it will succeed and the data is passed
without being decrypted/encrypted directly from the SSL/TLS record
layer.
- rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. No EC
algorithms are affected. Analysis suggests that attacks against
RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH1024 are
considered just feasible, because most of the work necessary to
deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be
significant. However, for an attack on TLS to be meaningful, the
server would have to share the DH1024 private key among multiple
clients, which is no longer an option since CVE-2016-0701.
Discovery 2017-12-07 Entry 2017-12-07 openssl
> 1.0.2 lt 1.0.2n
https://www.openssl.org/news/secadv/20171207.txt
CVE-2017-3737
CVE-2017-3738
|
0fcd3af0-a0fe-11e6-b1cf-14dae9d210b8 | FreeBSD -- OpenSSL Remote DoS vulnerability
Problem Description:
Due to improper handling of alert packets, OpenSSL would
consume an excessive amount of CPU time processing undefined
alert messages.
Impact:
A remote attacker who can initiate handshakes with an
OpenSSL based server can cause the server to consume a lot
of computation power with very little bandwidth usage, and
may be able to use this technique in a leveraged Denial of
Service attack.
Discovery 2016-11-02 Entry 2016-11-02 Modified 2017-02-22 FreeBSD
>= 10.3 lt 10.3_12
>= 10.2 lt 10.2_25
>= 10.1 lt 10.1_42
>= 9.3 lt 9.3_50
openssl
< 1.0.2i,1
openssl-devel
< 1.1.0a
linux-c6-openssl
< 1.0.1e_13
linux-c7-openssl-libs
< 1.0.1e_3
CVE-2016-8610
SA-16:35.openssl
http://seclists.org/oss-sec/2016/q4/224
|
8f353420-4197-11e8-8777-b499baebfeaf | OpenSSL -- Cache timing vulnerability
The OpenSSL project reports:
The OpenSSL RSA Key generation algorithm has been shown to be
vulnerable to a cache timing side channel attack. An attacker
with sufficient access to mount cache timing attacks during the
RSA key generation process could recover the private key.
Discovery 2018-04-16 Entry 2018-04-16 openssl
< 1.0.2o_2,1
openssl-devel
< 1.1.0h_1
https://www.openssl.org/news/secadv/20180416.txt
CVE-2018-0737
|
9e0c6f7a-d46d-11e9-a1c7-b499baebfeaf | OpenSSL -- Multiple vulnerabilities
The OpenSSL project reports:
ECDSA remote timing attack (CVE-2019-1547) [Low]
Fork Protection (CVE-2019-1549) [Low]
(OpenSSL 1.1.1 only)
Discovery 2019-09-10 Entry 2019-09-11 openssl
< 1.0.2t,1
openssl111
< 1.1.1d
https://www.openssl.org/news/secadv/20190910.txt
CVE-2019-1547
CVE-2019-1549
|