CVE-2018-0732

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).

References

https://www.openssl.org/news/secadv/20180612.txt

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ea7abeeabf92b7aca160bdd0208636d4da69f4f4

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3984ef0b72831da8b3ece4745cac4f8575b19098

http://www.securitytracker.com/id/1041090

http://www.securityfocus.com/bid/104442

https://usn.ubuntu.com/3692-2/

https://usn.ubuntu.com/3692-1/

https://lists.debian.org/debian-lts-announce/2018/07/msg00043.html

https://access.redhat.com/errata/RHSA-2018:2553

https://access.redhat.com/errata/RHSA-2018:2552

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

https://www.tenable.com/security/tns-2018-12

https://securityadvisories.paloaltonetworks.com/Home/Detail/133

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

https://www.tenable.com/security/tns-2018-14

https://www.tenable.com/security/tns-2018-13

https://access.redhat.com/errata/RHSA-2018:3221

https://security.netapp.com/advisory/ntap-20181105-0001/

https://access.redhat.com/errata/RHSA-2018:3505

https://security.gentoo.org/glsa/201811-03

https://www.debian.org/security/2018/dsa-4348

https://www.debian.org/security/2018/dsa-4355

https://www.tenable.com/security/tns-2018-17

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://security.netapp.com/advisory/ntap-20190118-0002/

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://access.redhat.com/errata/RHSA-2019:1297

https://access.redhat.com/errata/RHSA-2019:1296

https://access.redhat.com/errata/RHSA-2019:1543

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/

https://lists.fedoraproject.org/archives/list/[email protected]/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujan2021.html

https://cert-portal.siemens.com/productcert/pdf/ssa-419820.pdf

Details

Source: MITRE

Published: 2018-06-12

Updated: 2021-06-08

Type: CWE-320

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.1.0 to 1.1.0h (inclusive)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.0.2 to 1.0.2o (inclusive)

Configuration 2

OR

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

Tenable Plugins

View all (85 total)

IDNameProductFamilySeverity
138902MySQL Enterprise Monitor 4.x < 4.0.8 / 8.x < 8.0.14 DoS (Jan 2019 CPU)NessusCGI abuses
high
131184Oracle Enterprise Manager Ops Center (Jan 2019 CPU)NessusMisc.
critical
129653Fedora 31 : 1:compat-openssl10 (2019-db06efdea1)NessusFedora Local Security Checks
high
129368Fedora 29 : 1:compat-openssl10 (2019-9a0a7c0986)NessusFedora Local Security Checks
high
129319Fedora 30 : 1:compat-openssl10 (2019-00c25b9379)NessusFedora Local Security Checks
high
128303Symantec ProxySG 6.5 / 6.6 / 6.7 < 6.7.4.1 OpenSSL Denial of Service Vulnerability (SA1462)NessusFirewalls
high
127975OracleVM 3.4 : openssl (OVMSA-2019-0040)NessusOracleVM Local Security Checks
medium
127262NewStart CGSL CORE 5.04 / MAIN 5.04 : openssl Multiple Vulnerabilities (NS-SA-2019-0065)NessusNewStart CGSL Local Security Checks
medium
126270EulerOS 2.0 SP8 : compat-openssl10 (EulerOS-SA-2019-1643)NessusHuawei Local Security Checks
medium
126046SUSE SLES12 Security Update : openssl (SUSE-SU-2019:1553-1)NessusSuSE Local Security Checks
medium
125616RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP2 (RHSA-2019:1297)NessusRed Hat Local Security Checks
high
124999EulerOS Virtualization 3.0.1.0 : openssl (EulerOS-SA-2019-1546)NessusHuawei Local Security Checks
high
124903EulerOS Virtualization for ARM 64 3.0.1.0 : openssl (EulerOS-SA-2019-1400)NessusHuawei Local Security Checks
medium
123887EulerOS Virtualization 2.5.4 : openssl (EulerOS-SA-2019-1201)NessusHuawei Local Security Checks
medium
123871EulerOS Virtualization 2.5.3 : openssl (EulerOS-SA-2019-1185)NessusHuawei Local Security Checks
medium
123512Palo Alto Networks PAN-OS 6.1.x <= 6.1.20 / 7.1.x < 7.1.21 / 8.0.x < 8.0.14 / 8.1.x < 8.1.4 Multiple Vulnerabilities (PAN-SA-2018-0015)NessusPalo Alto Local Security Checks
medium
123360openSUSE Security Update : VirtualBox (openSUSE-2019-863)NessusSuSE Local Security Checks
critical
123323openSUSE Security Update : openssl-1_0_0 (openSUSE-2019-753)NessusSuSE Local Security Checks
medium
123322openSUSE Security Update : openssl-1_1 (openSUSE-2019-751)NessusSuSE Local Security Checks
high
123312openSUSE Security Update : nodejs8 (openSUSE-2019-718)NessusSuSE Local Security Checks
high
123236openSUSE Security Update : openssl-1_1 (openSUSE-2019-550)NessusSuSE Local Security Checks
high
123235openSUSE Security Update : openssl-1_0_0 (openSUSE-2019-549)NessusSuSE Local Security Checks
high
121981Photon OS 2.0: Openssl PHSA-2018-2.0-0084NessusPhotonOS Local Security Checks
critical
121875Photon OS 1.0: Openssl PHSA-2018-1.0-0175NessusPhotonOS Local Security Checks
critical
121257Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)NessusMisc.
critical
121252Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Jan 2019 CPU)NessusCGI abuses
medium
121225Oracle Enterprise Manager Cloud Control (January 2019 CPU)NessusMisc.
critical
121069Junos OS: OpenSSL Security Advisories [16 Apr 2018] and [12 June 2018] (JSA10919)NessusJunos Local Security Checks
medium
120997EulerOS 2.0 SP5 : openssl (EulerOS-SA-2019-1009)NessusHuawei Local Security Checks
medium
120424Fedora 28 : 1:openssl (2018-520e4c5b4e)NessusFedora Local Security Checks
medium
120198Tenable Nessus < 7.1.4 Multiple Vulnerabilities (TNS-2018-17)NessusMisc.
medium
120115SUSE SLES15 Security Update : openssl-1_0_0 (SUSE-SU-2018:2965-1)NessusSuSE Local Security Checks
medium
120114SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2018:2956-1)NessusSuSE Local Security Checks
high
120104SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2018:2812-1)NessusSuSE Local Security Checks
high
120103SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2018:2796-1)NessusSuSE Local Security Checks
high
120093SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2018:2647-1)NessusSuSE Local Security Checks
high
120057SUSE SLES15 Security Update : openssl-1_1 (SUSE-SU-2018:2041-1)NessusSuSE Local Security Checks
high
120056SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2018:2036-1)NessusSuSE Local Security Checks
high
119909EulerOS 2.0 SP2 : openssl (EulerOS-SA-2018-1420)NessusHuawei Local Security Checks
medium
119792Debian DSA-4355-1 : openssl1.0 - security updateNessusDebian Local Security Checks
medium
119520EulerOS 2.0 SP3 : openssl (EulerOS-SA-2018-1392)NessusHuawei Local Security Checks
medium
119403RHEL 7 : Red Hat OpenShift Application Runtimes Node.js 10.9.0 (RHSA-2018:2553)NessusRed Hat Local Security Checks
high
119402RHEL 7 : Red Hat OpenShift Application Runtimes Node.js 8.11.4 (RHSA-2018:2552)NessusRed Hat Local Security Checks
high
119313Debian DSA-4348-1 : openssl - security updateNessusDebian Local Security Checks
medium
119194Scientific Linux Security Update : openssl on SL7.x x86_64 (20181030)NessusScientific Linux Local Security Checks
medium
118998CentOS 7 : openssl (CESA-2018:3221)NessusCentOS Local Security Checks
medium
118937Node.js Multiple Vulnerabilities (August 2018 Security Releases)NessusMisc.
high
118847GLSA-201811-03 : OpenSSL: Denial of serviceNessusGentoo Local Security Checks
high
118833Amazon Linux 2 : openssl (ALAS-2018-1102)NessusAmazon Linux Local Security Checks
medium
118777Oracle Linux 7 : openssl (ELSA-2018-3221)NessusOracle Linux Local Security Checks
medium
118642F5 Networks BIG-IP : OpenSSL vulnerability (K21665601)NessusF5 Networks Local Security Checks
high
118595Amazon Linux AMI : openssl (ALAS-2018-1098)NessusAmazon Linux Local Security Checks
high
118562openSUSE Security Update : VirtualBox (openSUSE-2018-1330)NessusSuSE Local Security Checks
critical
118534RHEL 7 : openssl (RHSA-2018:3221)NessusRed Hat Local Security Checks
high
118399Tenable Log Correlation Engine (LCE) < 5.1.1 (TNS-2018-13)NessusMisc.
medium
118398Tenable Nessus < 8.0.0 Multiple Vulnerabilities (TNS-2018-14)NessusMisc.
medium
118273SUSE SLES12 Security Update : openssl (SUSE-SU-2018:1887-2)NessusSuSE Local Security Checks
high
118204Oracle VM VirtualBox < 5.2.20 Multiple Vulnerabilities (Oct 2018 CPU)NessusMisc.
critical
118106Oracle Linux 7 : openssl (ELSA-2018-4249)NessusOracle Linux Local Security Checks
high
118105Oracle Linux 6 : openssl (ELSA-2018-4248)NessusOracle Linux Local Security Checks
high
117977openSUSE Security Update : openssl-1_0_0 (openSUSE-2018-1110)NessusSuSE Local Security Checks
high
117976openSUSE Security Update : openssl-1_1 (openSUSE-2018-1109)NessusSuSE Local Security Checks
high
117891Fedora 27 : 1:openssl (2018-02a38af202)NessusFedora Local Security Checks
high
117790openSUSE Security Update : nodejs8 (openSUSE-2018-1047)NessusSuSE Local Security Checks
high
117749EulerOS 2.0 SP2 : openssl110f (EulerOS-SA-2018-1306)NessusHuawei Local Security Checks
high
117689openSUSE Security Update : nodejs6 (openSUSE-2018-1041)NessusSuSE Local Security Checks
high
117672Tenable SecurityCenter < 5.7.1 Multiple Vulnerabilities (TNS-2018-12)NessusMisc.
critical
117476openSUSE Security Update : compat-openssl098 (openSUSE-2018-997)NessusSuSE Local Security Checks
high
117450SUSE SLED12 / SLES12 Security Update : compat-openssl098 (SUSE-SU-2018:2683-1)NessusSuSE Local Security Checks
high
117381openSUSE Security Update : nodejs4 (openSUSE-2018-991)NessusSuSE Local Security Checks
high
112128FreeBSD : node.js -- multiple vulnerabilities (0904e81f-a89d-11e8-afbb-bc5ff4f77b71)NessusFreeBSD Local Security Checks
high
112120OpenSSL 1.1.0 < 1.1.0i Multiple VulnerabilitiesNessusWeb Servers
medium
112119OpenSSL 1.0.x < 1.0.2p Multiple VulnerabilitiesNessusWeb Servers
medium
112035Photon OS 2.0: Openssl / Procps-ng / Perl PHSA-2018-2.0-0084 (deprecated)NessusPhotonOS Local Security Checks
critical
111737Slackware 14.2 / current : openssl (SSA:2018-226-01)NessusSlackware Local Security Checks
high
111575SUSE SLES11 Security Update : openssl (SUSE-SU-2018:2207-1)NessusSuSE Local Security Checks
high
111429openSUSE Security Update : openssl-1_1 (openSUSE-2018-777)NessusSuSE Local Security Checks
high
111415openSUSE Security Update : openssl-1_0_0 (openSUSE-2018-763)NessusSuSE Local Security Checks
high
111390Debian DLA-1449-1 : openssl security updateNessusDebian Local Security Checks
high
111134SUSE SLES12 Security Update : openssl (SUSE-SU-2018:1968-1)NessusSuSE Local Security Checks
high
110960openSUSE Security Update : openssl (openSUSE-2018-704)NessusSuSE Local Security Checks
high
110938SUSE SLED12 / SLES12 Security Update : openssl (SUSE-SU-2018:1887-1)NessusSuSE Local Security Checks
high
110878EulerOS 2.0 SP3 : openssl110f (EulerOS-SA-2018-1214)NessusHuawei Local Security Checks
high
110721Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : OpenSSL vulnerabilities (USN-3692-1)NessusUbuntu Local Security Checks
high
110504FreeBSD : OpenSSL -- Client DoS due to large DH parameter (c82ecac5-6e3f-11e8-8777-b499baebfeaf)NessusFreeBSD Local Security Checks
high