Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (VPN)  >   OpenSSL Vendors:
OpenSSL Flaw in Encrypt-Then-Mac Extension Negotiation Lets Remote Authenticated Users Cause the Target Service to Crash
SecurityTracker Alert ID:  1037846
SecurityTracker URL:
CVE Reference:   CVE-2017-3733   (Links to External Site)
Date:  Feb 16 2017
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.1.0 to 1.1.0e
Description:   A vulnerability was reported in OpenSSL. A remote authenticated user can cause the target service to crash.

A remote authenticated user can trigger a crash during a renegotiate handshake and cause the target service to crash, depending on the selected cipher suite.

Negotiating the Encrypt-Then-Mac extension when the original handshake did not include the extension can trigger this flaw. Negotiating without the Encrypt-Then-Mac extension when the original handshake included the extension can also trigger this flaw.

Clients and servers are affected.

The vendor was notified on January 31, 2017.

Joe Orton (Red Hat) reported this vulnerability.

Impact:   A remote authenticated user can cause the target service to crash.
Solution:   The vendor has issued a fix (1.1.0e).

The vendor advisory is available at:

Vendor URL: (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Apr 11 2017 (HPE Issues Fix for HPE Operations Agent) OpenSSL Flaw in Encrypt-Then-Mac Extension Negotiation Lets Remote Authenticated Users Cause the Target Service to Crash
HPE has issued a fix for HPE Operations Agent.

 Source Message Contents

Date:  Thu, 16 Feb 2017 12:21:24 +0000
Subject:  [openssl-announce] OpenSSL Security Advisory

Hash: SHA256

OpenSSL Security Advisory [16 Feb 2017]

Encrypt-Then-Mac renegotiation crash (CVE-2017-3733)

Severity: High

During a renegotiation handshake if the Encrypt-Then-Mac extension is
negotiated where it was not in the original handshake (or vice-versa) then this
can cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers
are affected.

OpenSSL 1.1.0 users should upgrade to 1.1.0e

This issue does not affect OpenSSL version 1.0.2.

This issue was reported to OpenSSL on 31st January 2017 by Joe Orton (Red Hat).
The fix was developed by Matt Caswell of the OpenSSL development team.


Support for version 1.0.1 ended on 31st December 2016. Support for versions
0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer
receiving security updates.


URL for this Security Advisory:

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:

openssl-announce mailing list
To unsubscribe:

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC