CVE-2011-4108

MEDIUM

Description

The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.

References

http://aix.software.ibm.com/aix/efixes/security/openssl_advisory3.asc

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03360041

http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html

http://lists.fedoraproject.org/pipermail/package-announce/2012-November/092905.html

http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00017.html

http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00018.html

http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html

http://marc.info/?l=bugtraq&m=132750648501816&w=2

http://marc.info/?l=bugtraq&m=133951357207000&w=2

http://marc.info/?l=bugtraq&m=134039053214295&w=2

http://rhn.redhat.com/errata/RHSA-2012-1306.html

http://rhn.redhat.com/errata/RHSA-2012-1307.html

http://rhn.redhat.com/errata/RHSA-2012-1308.html

http://secunia.com/advisories/48528

http://secunia.com/advisories/57260

http://secunia.com/advisories/57353

http://support.apple.com/kb/HT5784

http://www.debian.org/security/2012/dsa-2390

http://www.isg.rhul.ac.uk/~kp/dtls.pdf

http://www.kb.cert.org/vuls/id/737740

http://www.mandriva.com/security/advisories?name=MDVSA-2012:006

http://www.mandriva.com/security/advisories?name=MDVSA-2012:007

http://www.openssl.org/news/secadv_20120104.txt

http://www-01.ibm.com/support/docview.wss?uid=ssg1S1004564

https://securityadvisories.paloaltonetworks.com/Home/Detail/17

Details

Source: MITRE

Published: 2012-01-06

Updated: 2016-08-23

Type: CWE-310

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:0.9.1c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.2b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.4:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.5a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6h:bogus:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.6m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.7m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8e:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8f:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8g:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8h:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8i:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8j:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8k:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8l:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8m:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8n:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8o:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8p:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:0.9.8q:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions up to 0.9.8r (inclusive)

Configuration 2

OR

cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions up to 1.0.0e (inclusive)

Tenable Plugins

View all (44 total)

IDNameProductFamilySeverity
125001EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1548)NessusHuawei Local Security Checks
high
89038VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check)NessusMisc.
high
80715Oracle Solaris Third-Party Patch Update : openssl (cve_2012_0050_denial_of)NessusSolaris Local Security Checks
high
79532OracleVM 3.2 : onpenssl (OVMSA-2014-0008)NessusOracleVM Local Security Checks
critical
79531OracleVM 2.2 : openssl (OVMSA-2014-0007)NessusOracleVM Local Security Checks
critical
78181F5 Networks BIG-IP : OpenSSL vulnerability (SOL15388)NessusF5 Networks Local Security Checks
medium
75908openSUSE Security Update : libopenssl-devel (openSUSE-SU-2012:0083-1)NessusSuSE Local Security Checks
medium
75598openSUSE Security Update : libopenssl-devel (openSUSE-SU-2012:0083-1)NessusSuSE Local Security Checks
medium
74901openSUSE Security Update : openssl (openSUSE-SU-2013:0336-1)NessusSuSE Local Security Checks
high
74722openSUSE Security Update : openssl (openSUSE-2012-52)NessusSuSE Local Security Checks
medium
73561AIX OpenSSL Advisory : openssl_advisory3.ascNessusAIX Local Security Checks
high
70885ESXi 5.0 < Build 912577 Multiple Vulnerabilities (remote check)NessusMisc.
high
69645Amazon Linux AMI : openssl (ALAS-2012-38)NessusAmazon Linux Local Security Checks
medium
68438Oracle Linux 5 : openssl (ELSA-2012-0060)NessusOracle Linux Local Security Checks
high
68437Oracle Linux 6 : openssl (ELSA-2012-0059)NessusOracle Linux Local Security Checks
medium
801016Mac OS X 10.8 < 10.8.4 Multiple Vulnerabilities (Security Update 2013-002)Log Correlation EngineOperating System Detection
high
6857Mac OS X 10.8 < 10.8.4 Multiple Vulnerabilities (Security Update 2013-002)Nessus Network MonitorWeb Clients
critical
66809Mac OS X Multiple Vulnerabilities (Security Update 2013-002)NessusMacOS X Local Security Checks
critical
66808Mac OS X 10.8.x < 10.8.4 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
63031Fedora 18 : mingw-openssl-1.0.1c-1.fc18 (2012-18035)NessusFedora Local Security Checks
high
61942Mandriva Linux Security Advisory : openssl (MDVSA-2012:007)NessusMandriva Local Security Checks
high
61747VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party librariesNessusVMware ESX Local Security Checks
high
61225Scientific Linux Security Update : openssl on SL6.x i386/x86_64 (20120124)NessusScientific Linux Local Security Checks
medium
61224Scientific Linux Security Update : openssl on SL5.x i386/x86_64 (20120124)NessusScientific Linux Local Security Checks
high
59851HP System Management Homepage < 7.1.1 Multiple VulnerabilitiesNessusWeb Servers
critical
58222GLSA-201203-12 : OpenSSL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
57887Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : openssl vulnerabilities (USN-1357-1)NessusUbuntu Local Security Checks
high
57731CentOS 6 : openssl (CESA-2012:0059)NessusCentOS Local Security Checks
medium
57692CentOS 5 : openssl (CESA-2012:0060)NessusCentOS Local Security Checks
high
57678RHEL 5 : openssl (RHSA-2012:0060)NessusRed Hat Local Security Checks
high
57677RHEL 6 : openssl (RHSA-2012:0059)NessusRed Hat Local Security Checks
medium
57671Fedora 15 : openssl-1.0.0g-1.fc15 (2012-0702)NessusFedora Local Security Checks
medium
57627Fedora 16 : openssl-1.0.0g-1.fc16 (2012-0708)NessusFedora Local Security Checks
medium
57570SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 7923)NessusSuSE Local Security Checks
high
57569SuSE 11.1 Security Update : OpenSSL (SAT Patch Number 5635)NessusSuSE Local Security Checks
high
57568Mandriva Linux Security Advisory : openssl (MDVSA-2012:006)NessusMandriva Local Security Checks
high
57551FreeBSD : OpenSSL -- multiple vulnerabilities (78cc8a46-3e56-11e1-89b4-001ec9578670)NessusFreeBSD Local Security Checks
high
57546Fedora 15 : openssl-1.0.0f-1.fc15 (2012-0250)NessusFedora Local Security Checks
medium
57543Debian DSA-2390-1 : openssl - several vulnerabilitiesNessusDebian Local Security Checks
high
57479Fedora 16 : openssl-1.0.0f-1.fc16 (2012-0232)NessusFedora Local Security Checks
medium
57460OpenSSL 1.x < 1.0.0f Multiple VulnerabilitiesNessusWeb Servers
medium
57459OpenSSL < 0.9.8s Multiple VulnerabilitiesNessusWeb Servers
high
801059OpenSSL 0.9.8 < 0.9.8s / 1.x < 1.0.0f Multiple VulnerabilitiesLog Correlation EngineWeb Servers
high
6129OpenSSL 0.9.8 < 0.9.8s / 1.x < 1.0.0f Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high