SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
SecurityTracker Alert ID:  1034849
SecurityTracker URL:  http://securitytracker.com/id/1034849
CVE Reference:   CVE-2015-3197, CVE-2016-0701   (Links to External Site)
Updated:  Jan 28 2016
Original Entry Date:  Jan 28 2016
Impact:   Disclosure of authentication information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0.1, 1.0.2
Description:   Two vulnerabilities were reported in OpenSSL. A remote user can recover keys in certain cases. A remote user can negotiate disabled ciphers.

The system may use primes for generating Diffie Hellman (DH) parameters that are not safe when using X9.42 style parameter files [CVE-2016-0701]. A remote user that complete multiple handshakes with the target peer where the peer uses the same private DH exponent may be able to determine the target peer's private DH exponent and then conduct man-in-the-middle attacks against the ostensibly secure connection.

Systems that reuse the private DH exponent or use a static DH ciphersuite are affected.

Systems with the SSL_OP_SINGLE_DH_USE option for ephemeral DH (DHE) in TLS disabled reuse the same private DH exponent for the life of the server process and are affected.

Version 1.0.2 is affected.

The vendor was notified on January 12, 2016

Antonio Sanso (Adobe) reported this vulnerability.

When the SSLv2 protocol is not disabled via SSL_OP_NO_SSLv2 on the target server, a remote user can negotiate SSLv2 ciphers that have been disabled on the target server [CVE-2015-3197]. Versions 1.0.1 and 1.0.2 are affected.

The vendor was notified on December 26, 2015.

Nimrod Aviram and Sebastian Schinzel reported this vulnerability.

Impact:   A remote user can recover keys in certain cases.

A remote user can negotiate disabled ciphers.

Solution:   The vendor has issued a fix (1.0.1r, 1.0.2f).

The vendor's advisory is available at:

http://openssl.org/news/secadv/20160128.txt

Vendor URL:  openssl.org/news/secadv/20160128.txt (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 28 2016 (Ubuntu Issues Fix for OpenSSL) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Ubuntu has issued a fix for OpenSSL for Ubuntu Linux 15.10.
Jan 30 2016 (FreeBSD Issues Fix) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
FreeBSD has issued a fix for FreeBSD 9.3 and 10.2.
Feb 9 2016 (Cisco Issues Advisory for Cisco WebEx Meetings Server) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco WebEx Meetings Server.
Feb 9 2016 (Cisco Issues Advisory for Cisco Jabber for Windows) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Jabber for Windows.
Feb 9 2016 (Cisco Issues Advisory for Cisco Intrusion Prevention System) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Intrusion Prevention System.
Feb 9 2016 (Cisco Issues Advisory for Cisco Prime Collaboration) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Prime Collaboration Deployment and Cisco Prime Collaboration Provisioning.
Feb 9 2016 (Cisco Issues Advisory for Cisco MDS 9000 Series) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco MDS 9000 Series Multilayer Switches.
Feb 9 2016 (Cisco Issues Advisory for Cisco Nexus Switches) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Nexus 3000/3X00/5000/6000/7000.
Feb 9 2016 (Cisco Issues Advisory for Cisco 8800 Series IP Phones) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco 8800 Series IP Phones.
Feb 10 2016 (Cisco Issues Advisory for Cisco Emergency Responder) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Emergency Responder.
Feb 10 2016 (Cisco Issues Advisory for Cisco MediaSense) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco MediaSense.
Feb 10 2016 (Cisco Issues Advisory for Cisco Unified Communications Manager) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Unified Communications Manager.
Feb 11 2016 (Cisco Issues Advisory for Cisco Unified Contact Center Enterprise) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Unified Contact Center Enterprise.
Feb 11 2016 (Cisco Issues Advisory for Cisco Unified Intelligent Contact Management) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Unified Intelligent Contact Management.
Feb 11 2016 (Cisco Issues Advisory for Cisco Unity Connection) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Unity Connection.
Feb 11 2016 (Cisco Issues Advisory for Cisco Edge 300 Digital Media Player) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco Edge 300 Digital Media Player.
Feb 11 2016 (Cisco Issues Advisory for Cisco TelePresence) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Cisco has issued an advisory for Cisco TelePresence Products.
Mar 1 2016 (Red Hat Issues Fix) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Mar 1 2016 (Red Hat Issues Fix) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Mar 1 2016 (CentOS Issues Fix) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
CentOS has issued a fix for CentOS 6 and 7.
Mar 1 2016 (Red Hat Issues Fix) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Red Hat has issued a fix for Red Hat Enterprise Linux 6.2, 6.4, and 6.5.
Mar 1 2016 (Red Hat Issues Fix) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Red Hat has issued a fix for Red Hat Enterprise Linux 5.6 and 5.9.
Mar 2 2016 (Red Hat Issues Fix) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Red Hat has issued a fix for Red Hat Enterprise Linux 6.6 and 7.1.
Mar 2 2016 (CentOS Issues Fix) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
CentOS has issued a fix for CentOS 5.
Mar 2 2016 (Oracle Issues Fix for Oracle Linux) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Oracle has issued a fix for Oracle Linux 6 and 7.
Mar 3 2016 (IBM Issues Fix for IBM AIX) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.
Mar 9 2016 (Red Hat Issues Fix) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Mar 10 2016 (Red Hat Issues Fix for Red Hat Enterprise Virtualization) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Red Hat has issued a fix for Red Hat Enterprise Virtualization.
Mar 15 2016 (Red Hat Issues Fix for JBoss Web Server) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Red Hat has issued a fix for JBoss Web Server.
Mar 22 2016 (Red Hat Issues Fix for JBoss Enterprise Application Platform) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Red Hat has issued a fix for JBoss EAP for Windows and Solaris.
Apr 5 2016 (IBM Issues Fix for IBM Tivoli Workload Scheduler) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
IBM has issued a fix for IBM Tivoli Workload Scheduler.
Apr 19 2016 (Oracle Issues Fix for Oracle Enterprise Manager) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Oracle has issued a fix for Oracle Enterprise Manager OSS Support Tools.
Apr 20 2016 (Oracle Issues Fix for Oracle VM VirtualBox) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Oracle has issued a fix for Oracle VM VirtualBox.
Apr 20 2016 (Oracle Issues Fix for Oracle PeopleSoft Products) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Oracle has issued a fix for Oracle PeopleSoft Products.
Apr 20 2016 (Oracle Issues Fix for Oracle Exalogic Infrastructure) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Oracle has issued a fix for Oracle Fusion Middleware/Oracle Exalogic Infrastructure.
Apr 20 2016 (Oracle Issues Fix for Oracle Tuxedo) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Oracle has issued a fix for Oracle Fusion Middleware/Oracle Tuxedo.
Apr 22 2016 (IBM Issues Fix for IBM Tivoli Netcool System Service Monitor) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
IBM has issued a fix for IBM Tivoli Netcool System Service Monitor 4.0.0 and 4.0.1.
Jun 7 2016 (HP Issues Fix for HPE Universal Configuration Management Database) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
HP has issued a fix for HPE Universal Configuration Management Database.
Jul 19 2016 (Oracle Issues Fix for Oracle Primavera Products Suite) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Oracle has issued a fix for Oracle Primavera Products Suite.
Jul 20 2016 (Oracle Issues Fix for Oracle JD Edwards EnterpriseOne Tools) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
Oracle has issued a fix for Oracle JD Edwards EnterpriseOne Tools.
Aug 9 2016 (IBM Issues Fix for IBM Cognos TM1) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
IBM has issued a fix for IBM Cognos TM1.
Apr 27 2018 (IBM Issues Fix for IBM InfoSphere Information Server) OpenSSL Flaws Let Remote Users Recover DH Keys in Certain Cases and Let Remote Users Negotiate Disabled Ciphers
IBM has issued a fix for IBM InfoSphere Information Server.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC