Arch Linux update for openssl

Published: 2019-06-12 | Updated: 2019-06-12
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-1543
CWE ID CWE-327
Exploitation vector Network
Public exploit N/A
Vulnerable software Arch Linux Subscribe
Vendor Arch Linux

Security Advisory

This security advisory describes one low risk vulnerability.

1) Use of a broken or risky cryptographic algorithm

Severity: Low

CVSSv3: 3.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1543

CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

Description

The vulnerability allows a remote attacker to gain access to encrypted data.

The vulnerability exists due to incorrect implementation of the ChaCha20-Poly1305 cipher. For messages, encrypted with this cipher, a reused nonce value is used that is susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce.

This vulnerability does not affect internal usage of the cipher within OpenSSL. However if an application uses this cipher directly and sets a non-default nonce length to be longer than 12 bytes, it may be vulnerable.

Mitigation

Update the affected package openssl to version 1.1.1.c-1.

Vulnerable software versions

Arch Linux: -

CPE External links

https://security.archlinux.org/advisory/ASA-201906-7

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.