Information disclosure in OpenSSL



Published: 2016-03-01 | Updated: 2022-11-08
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2016-0800
CVE-2016-0702
CWE-ID CWE-327
CWE-200
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
OpenSSL
Server applications / Encryption software

Vendor OpenSSL Software Foundation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU1914

Risk: Medium

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:F/RL:O/RC:C]

CVE-ID: CVE-2016-0800

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to usage of weak SSLv2 protocol, which requires to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data. A remote attacker can decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle.

The vulnerability is dubbed "DROWN" attack.

Mitigation

Update to version 1.0.1s or 1.0.2g.

Vulnerable software versions

OpenSSL: 0.9.8 - 1.0.2

External links

http://drownattack.com/drown-attack-paper.pdf
http://openssl.org/news/secadv/20160301.txt


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

2) Information disclosure

EUVDB-ID: #VU1962

Risk: Low

CVSSv3.1: 4.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-0702

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local attacker to decrypt data passed via encrypted SSL connection.

The vulnerability exists in the MOD_EXP_CTIME_COPY_FROM_PREBUF() function in crypto/bn/bn_exp.c. The application does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts.

The vulnerability was dubbed "CacheBleed".

Mitigation

Update to version 1.0.1s or 1.0.2g.

Vulnerable software versions

OpenSSL: 1.0.1 - 1.0.2f

External links

http://openssl.org/news/secadv/20160301.txt


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###