Denial of service in OpenSSL

Published: 2018-06-13 11:26:36 | Updated: 2018-08-14 23:13:24
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-0732
Exploitation vector Network
Public exploit Not available
Vulnerable software OpenSSL
Vulnerable software versions OpenSSL 1.1.0h
OpenSSL 1.1.0g
OpenSSL 1.1.0f
Show more
Vendor URL OpenSSL Software Foundation

Security Advisory

Update 2018-08-14: The vendor has issued fixes with official releases of 1.0.2p and 1.1.0i.

1) Improper input validation


The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper handling of large prime values by the affected software during key agreement operations in a Transport Layer Security (TLS) handshake using an Ephemeral Diffie-Hellman (DHE) based cipher suite. A remote attacker can send a large prime value from a malicious OpenSSL server to a targeted OpenSSL client and cause the client to stop responding while generating a key for the prime value.


Update to versions 1.1.0i or 1.0.2p.

External links

Back to List