CVE-2007-3108

low
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The BN_from_montgomery function in crypto/bn/bn_mont.c in OpenSSL 0.9.8e and earlier does not properly perform Montgomery multiplication, which might allow local users to conduct a side-channel attack and retrieve RSA private keys.

References

http://cvs.openssl.org/chngview?cn=16275

http://lists.vmware.com/pipermail/security-announce/2008/000002.html

http://openssl.org/news/patch-CVE-2007-3108.txt

http://secunia.com/advisories/26411

http://secunia.com/advisories/26893

http://secunia.com/advisories/27021

http://secunia.com/advisories/27078

http://secunia.com/advisories/27097

http://secunia.com/advisories/27205

http://secunia.com/advisories/27330

http://secunia.com/advisories/27770

http://secunia.com/advisories/27870

http://secunia.com/advisories/28368

http://secunia.com/advisories/30161

http://secunia.com/advisories/30220

http://secunia.com/advisories/31467

http://secunia.com/advisories/31489

http://secunia.com/advisories/31531

http://security.gentoo.org/glsa/glsa-200710-06.xml

http://support.attachmate.com/techdocs/2374.html

http://support.avaya.com/elmodocs2/security/ASA-2007-485.htm

http://www.bluecoat.com/support/securityadvisories/advisory_openssl_rsa_key_reconstruction_vulnerability

http://www.debian.org/security/2008/dsa-1571

http://www.gentoo.org/security/en/glsa/glsa-200805-07.xml

http://www.kb.cert.org/vuls/id/724968

http://www.kb.cert.org/vuls/id/RGII-74KLP3

http://www.mandriva.com/security/advisories?name=MDKSA-2007:193

http://www.redhat.com/support/errata/RHSA-2007-0813.html

http://www.redhat.com/support/errata/RHSA-2007-0964.html

http://www.redhat.com/support/errata/RHSA-2007-1003.html

http://www.securityfocus.com/archive/1/476341/100/0/threaded

http://www.securityfocus.com/archive/1/485936/100/0/threaded

http://www.securityfocus.com/archive/1/486859/100/0/threaded

http://www.securityfocus.com/bid/25163

http://www.vmware.com/security/advisories/VMSA-2008-0001.html

http://www.vmware.com/security/advisories/VMSA-2008-0013.html

http://www.vupen.com/english/advisories/2007/2759

http://www.vupen.com/english/advisories/2007/4010

http://www.vupen.com/english/advisories/2008/0064

http://www.vupen.com/english/advisories/2008/2361

http://www.vupen.com/english/advisories/2008/2362

http://www.vupen.com/english/advisories/2008/2396

https://issues.rpath.com/browse/RPL-1613

https://issues.rpath.com/browse/RPL-1633

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9984

https://usn.ubuntu.com/522-1/

Details

Source: MITRE

Published: 2007-08-08

Updated: 2018-10-16

Risk Information

CVSS v2

Base Score: 1.2

Vector: AV:L/AC:H/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 1.9

Severity: LOW

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions up to 0.9.8e (inclusive)

Tenable Plugins

View all (25 total)

IDNameProductFamilySeverity
127201NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl Multiple Vulnerabilities (NS-SA-2019-0033)NessusNewStart CGSL Local Security Checks
critical
127177NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl098e Multiple Vulnerabilities (NS-SA-2019-0020)NessusNewStart CGSL Local Security Checks
critical
125000EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1547)NessusHuawei Local Security Checks
medium
79964GLSA-201412-11 : AMD64 x86 emulation base libraries: Multiple vulnerabilities (Heartbleed)NessusGentoo Local Security Checks
critical
78217F5 Networks BIG-IP : OpenSSL vulnerability (SOL8108)NessusF5 Networks Local Security Checks
low
67585Oracle Linux 5 : openssl (ELSA-2007-0964)NessusOracle Linux Local Security Checks
high
67559Oracle Linux 3 : openssl (ELSA-2007-0813)NessusOracle Linux Local Security Checks
medium
67058CentOS 4 : openssl (CESA-2007:1003)NessusCentOS Local Security Checks
medium
60307Scientific Linux Security Update : openssl on SL4.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60273Scientific Linux Security Update : openssl on SL3.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60267Scientific Linux Security Update : openssl on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
17760OpenSSL < 0.9.8f Multiple VulnerabilitiesNessusWeb Servers
high
43658CentOS 5 : openssl (CESA-2007:0964)NessusCentOS Local Security Checks
high
40381VMSA-2008-0013 : Updated ESX packages for OpenSSL, net-snmp, perlNessusVMware ESX Local Security Checks
critical
40372VMSA-2008-0001 : Moderate OpenPegasus PAM Authentication Buffer Overflow and updated service console packagesNessusVMware ESX Local Security Checks
high
4632Attachmate Reflection for Secure IT UNIX Server < 7.0 SP1 Multiple VulnerabilitiesNessus Network MonitorSSH
medium
33948Attachmate Reflection for Secure IT UNIX server < 7.0 SP1 Multiple VulnerabilitiesNessusMisc.
critical
28243RHEL 4 : openssl (RHSA-2007:1003)NessusRed Hat Local Security Checks
medium
28127Ubuntu 6.06 LTS / 6.10 / 7.04 : openssl vulnerabilities (USN-522-1)NessusUbuntu Local Security Checks
critical
27716Fedora 7 : openssl-0.9.8b-14.fc7 (2007-1444)NessusFedora Local Security Checks
low
27563RHEL 2.1 / 3 : openssl (RHSA-2007:0813)NessusRed Hat Local Security Checks
medium
27538CentOS 3 : openssl (CESA-2007:0813)NessusCentOS Local Security Checks
medium
27052RHEL 5 : openssl (RHSA-2007:0964)NessusRed Hat Local Security Checks
high
26950Mandrake Linux Security Advisory : openssl (MDKSA-2007:193)NessusMandriva Local Security Checks
critical
26946GLSA-200710-06 : OpenSSL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical