Denial of service in OpenSSL

Published: 2018-06-13 11:26:36 | Updated: 2018-08-14 23:13:24
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-0732
CVSSv3 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CWE ID CWE-20
Exploitation vector Network
Public exploit Not available
Vulnerable software OpenSSL
Vulnerable software versions OpenSSL 1.1.0h
OpenSSL 1.1.0g
OpenSSL 1.1.0f
Show more
Vendor URL OpenSSL Software Foundation

Security Advisory

Update 2018-08-14: The vendor has issued fixes with official releases of 1.0.2p and 1.1.0i.

1) Improper input validation

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to improper handling of large prime values by the affected software during key agreement operations in a Transport Layer Security (TLS) handshake using an Ephemeral Diffie-Hellman (DHE) based cipher suite. A remote attacker can send a large prime value from a malicious OpenSSL server to a targeted OpenSSL client and cause the client to stop responding while generating a key for the prime value.

Remediation

Update to versions 1.1.0i or 1.0.2p.

External links

https://www.openssl.org/news/secadv/20180612.txt

Back to List