SB2017120804 - Multiple vulnerabilities in OpenSSL
Published: December 8, 2017
Security Bulletin ID
SB2017120804
Severity
Medium
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper input validation (CVE-ID: CVE-2017-3737)
The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.The weakness exists due to an "error state mechanism" when SSL_read() or SSL_write() is called directly after SSL object. A remote attacker can a specially crafted input, trigger a fatal error during a handshake and return it in the initial function call to access or modify sensitive information.
2) Buffer overflow (CVE-ID: CVE-2017-3738)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists due to buffer overflow in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. A remote attacker can cause the server to share the DH1024 private key among multiple clients and perform attack on TLS.
Remediation
Install update from vendor's website.