Collision forgery attack - CVE-2016-0924
Published: September 16, 2016
Vulnerability identifier: #VU488
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-0924
CWE-ID: CWE-327
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor:
Affected software:
Detailed vulnerability description
The vulnerability exposes remote user's possibility to perform a collision forgery attack on the target system.
The weakness exists due to obsolete server signatures (e.g., MD5) in a TLS 1.2 ServerKeyExchange message that makes the system vulnerable to collision (SLOTH) attacks.
Successful exploitation of the vulnerability may lead to collision attack conducting.
The weakness exists due to obsolete server signatures (e.g., MD5) in a TLS 1.2 ServerKeyExchange message that makes the system vulnerable to collision (SLOTH) attacks.
Successful exploitation of the vulnerability may lead to collision attack conducting.
How to mitigate CVE-2016-0924
Update to 4.0.9 or 4.1.5.