CVE-2016-0703MEDIUM
Description
The get_client_master_key function in s2_srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a accepts a nonzero CLIENT-MASTER-KEY CLEAR-KEY-LENGTH value for an arbitrary cipher, which allows man-in-the-middle attackers to determine the MASTER-KEY value and decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, a related issue to CVE-2016-0800.
References
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html
http://openssl.org/news/secadv/20160301.txt
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
http://www.securityfocus.com/bid/83743
http://www.securitytracker.com/id/1035133
https://git.openssl.org/?p=openssl.git;a=commit;h=ae50d8270026edf5b3c7f8aaa0c6677462b33d97
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03741en_us
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc
Details
Source: MITRE
Published: 2016-03-02
Updated: 2018-01-18
Type: CWE-200
Risk Information
CVSS v2.0
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
CVSS v3.0
Base Score: 5.9
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Impact Score: 3.6
Exploitability Score: 2.2
Severity: MEDIUM
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions up to 0.9.8ze (inclusive)
cpe:2.3:a:openssl:openssl:1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0m:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0n:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0o:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0p:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.0q:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1:beta1:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1:beta2:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1:beta3:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1d:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1e:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1f:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1g:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1h:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1i:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1j:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1k:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.1l:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 125001 | EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1548) | Nessus | Huawei Local Security Checks | high |
| 107060 | Arista Networks EOS Multiple Vulnerabilities (SA0018) (DROWN) | Nessus | Misc. | medium |
| 106499 | pfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02) | Nessus | Firewalls | critical |
| 96316 | Juniper Junos Multiple OpenSSL Vulnerabilities (JSA10759) (SWEET32) | Nessus | Junos Local Security Checks | critical |
| 94679 | Juniper ScreenOS 6.3.x < 6.3.0r23 Multiple Vulnerabilities in OpenSSL (JSA10759) (DROWN) | Nessus | Firewalls | critical |
| 92921 | FreeBSD : FreeBSD -- Multiple OpenSSL vulnerabilities (7b1a4a27-600a-11e6-a6c3-14dae9d210b8) (DROWN) | Nessus | FreeBSD Local Security Checks | critical |
| 9462 | OpenSSL 0.9.8 < 0.9.8zf / 1.0.0 < 1.0.0r / 1.0.1 < 1.0.1m / 1.0.2 < 1.0.2a Information Disclosure (DROWN) | Nessus Network Monitor | Web Servers | medium |
| 90364 | Amazon Linux AMI : openssl098e (ALAS-2016-682) (DROWN) | Nessus | Amazon Linux Local Security Checks | medium |
| 90053 | GLSA-201603-15 : OpenSSL: Multiple vulnerabilities (DROWN) | Nessus | Gentoo Local Security Checks | critical |
| 89945 | F5 Networks BIG-IP : OpenSSL vulnerabilities (SOL95463126) (DROWN) | Nessus | F5 Networks Local Security Checks | medium |
| 89910 | openSUSE Security Update : openssl (openSUSE-2016-327) (DROWN) | Nessus | SuSE Local Security Checks | critical |
| 89825 | Scientific Linux Security Update : openssl098e on SL6.x, SL7.x i386/x86_64 (20160309) (DROWN) | Nessus | Scientific Linux Local Security Checks | medium |
| 89773 | RHEL 6 / 7 : openssl098e (RHSA-2016:0372) (DROWN) | Nessus | Red Hat Local Security Checks | medium |
| 89770 | Oracle Linux 6 / 7 : openssl098e (ELSA-2016-0372) (DROWN) | Nessus | Oracle Linux Local Security Checks | medium |
| 89762 | CentOS 6 / 7 : openssl098e (CESA-2016:0372) (DROWN) | Nessus | CentOS Local Security Checks | medium |
| 89731 | SUSE SLES10 Security Update : OpenSSL (SUSE-SU-2016:0678-1) (DROWN) | Nessus | SuSE Local Security Checks | critical |
| 89722 | SUSE SLED11 Security Update : compat-openssl097g (SUSE-SU-2016:0631-1) (DROWN) | Nessus | SuSE Local Security Checks | critical |
| 89658 | SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2016:0641-1) (DROWN) | Nessus | SuSE Local Security Checks | critical |
| 89655 | SUSE SLED11 / SLES11 Security Update : openssl (SUSE-SU-2016:0624-1) (DROWN) | Nessus | SuSE Local Security Checks | critical |
| 89092 | openSUSE Security Update : openssl (openSUSE-2016-292) (DROWN) | Nessus | SuSE Local Security Checks | critical |
| 89091 | openSUSE Security Update : openssl (openSUSE-2016-289) (DROWN) | Nessus | SuSE Local Security Checks | critical |
| 89077 | SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2016:0620-1) (DROWN) | Nessus | SuSE Local Security Checks | critical |
| 89076 | SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2016:0617-1) (DROWN) | Nessus | SuSE Local Security Checks | critical |
| 89070 | RHEL 5 : openssl (RHSA-2016:0304) (DROWN) | Nessus | Red Hat Local Security Checks | medium |
| 89069 | RHEL 6 : openssl (RHSA-2016:0303) (DROWN) | Nessus | Red Hat Local Security Checks | medium |
| 9128 | OpenSSL 1.0.1 < 1.0.1s / 1.0.2 < 1.0.2g Multiple Vulnerabilities (DROWN) | Nessus Network Monitor | Web Servers | medium |
| 82783 | CentOS 5 : openssl (CESA-2015:0800) (FREAK) | Nessus | CentOS Local Security Checks | high |
| 82758 | RHEL 5 : openssl (RHSA-2015:0800) (FREAK) | Nessus | Red Hat Local Security Checks | high |
| 82757 | Oracle Linux 5 : openssl (ELSA-2015-0800) (FREAK) | Nessus | Oracle Linux Local Security Checks | high |
| 82033 | OpenSSL 1.0.2 < 1.0.2a Multiple Vulnerabilities | Nessus | Web Servers | medium |
| 82032 | OpenSSL 1.0.1 < 1.0.1m Multiple Vulnerabilities | Nessus | Web Servers | medium |
| 82031 | OpenSSL 1.0.0 < 1.0.0r Multiple Vulnerabilities | Nessus | Web Servers | medium |
| 82030 | OpenSSL 0.9.8 < 0.9.8zf Multiple Vulnerabilities | Nessus | Web Servers | medium |
| 82018 | RHEL 7 : openssl (RHSA-2015:0716) | Nessus | Red Hat Local Security Checks | high |
| 82016 | Oracle Linux 7 : openssl (ELSA-2015-0716) | Nessus | Oracle Linux Local Security Checks | high |