#VU23451 Cryptographic issues


Published: 2019-12-08 | Updated: 2020-03-18

Vulnerability identifier: #VU23451

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-1551

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an overflow issue within the rsaz_512_sqr(): the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. A remote attacker can perform an attack against DH512 keys.

Mitigation
Install update from vendor's website.

Vulnerable software versions

OpenSSL: 1.1.1 - 1.1.1d, 1.0.2 - 1.0.2t


CPE

External links
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98
http://www.openssl.org/news/secadv/20191206.txt


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability