Main Vulnerability Database Vulnerabilities #VU5420

Out-of-bounds read in OpenSSL - CVE-2017-3731

Published: January 27, 2017 / Updated: January 27, 2017

Vulnerability identifier: #VU5420

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2017-3731

CWE-ID: CWE-125

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenSSL Software Foundation

Affected software:
OpenSSL

Detailed vulnerability description

The vulnerability allows a remote attacker to cause denial of service conditions.

The vulnerability exists due to out-of-bounds read in OpenSSL when processing truncated packets on 32-bit system using certain ciphers. A remote attacker can send a specially crafted truncated packet using CHACHA20/POLY1305 cipher for OpenSSL 1.1.0 or RC4-MD5 for 1.0.2 and trigger denial of service.

Successful exploitation of the vulnerability may allow an attacker to perform denial of service (DoS) attack against vulnerable system.

How to mitigate CVE-2017-3731

Update OpenSSL to version 1.0.2k or 1.1.0d.

Sources

https://www.openssl.org/news/secadv/20170126.txt

Out-of-bounds read in OpenSSL - CVE-2017-3731

Detailed vulnerability description

How to mitigate CVE-2017-3731

Sources

Please verify you're human