CVE-2019-1552

low
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be '/usr/local'. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of 'C:/usr/local', which may be world writable, which enables untrusted users to modify OpenSSL's default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, '/usr/local/ssl' is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own --prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

References

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d333ebaf9c77332754a9d5e111e2f53e1de54fdd

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e32bc855a81a2d48d215c506bdeb4f598045f7e9

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b15a19c148384e73338aa7c5b12652138e35ed28

https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=54aa9d51b09d67e90db443f682cface795f5af9e

https://www.openssl.org/news/secadv/20190730.txt

https://security.netapp.com/advisory/ntap-20190823-0006/

https://lists.fedoraproject.org/archives/list/[email protected]/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/

https://lists.fedoraproject.org/archives/list/[email protected]/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/

https://support.f5.com/csp/article/K94041354

https://support.f5.com/csp/article/K94041354?utm_source=f5support&utm_medium=RSS

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://www.tenable.com/security/tns-2019-08

https://www.tenable.com/security/tns-2019-09

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.oracle.com/security-alerts/cpuoct2020.html

https://www.kb.cert.org/vuls/id/429301

https://kc.mcafee.com/corporate/index?page=content&id=SB10365

Details

Source: MITRE

Published: 2019-07-30

Updated: 2021-07-31

Type: CWE-295

Risk Information

CVSS v2

Base Score: 1.9

Vector: AV:L/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 3.4

Severity: LOW

CVSS v3

Base Score: 3.3

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Impact Score: 1.4

Exploitability Score: 1.8

Severity: LOW

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.1.1 to 1.1.1c (inclusive)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.0.2 to 1.0.2s (inclusive)

cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* versions from 1.1.0 to 1.1.0k (inclusive)

Tenable Plugins

View all (19 total)

IDNameProductFamilySeverity
135606EulerOS Virtualization 3.0.2.2 : openssl (EulerOS-SA-2020-1444)NessusHuawei Local Security Checks
medium
134510EulerOS Virtualization for ARM 64 3.0.2.0 : openssl (EulerOS-SA-2020-1221)NessusHuawei Local Security Checks
low
133042Oracle Secure Global Desktop Multiple Vulnerabilities (January 2020 CPU)NessusMisc.
medium
132817EulerOS Virtualization for ARM 64 3.0.5.0 : openssl (EulerOS-SA-2020-1063)NessusHuawei Local Security Checks
medium
132815EulerOS Virtualization for ARM 64 3.0.5.0 : compat-openssl10 (EulerOS-SA-2020-1061)NessusHuawei Local Security Checks
low
132177EulerOS 2.0 SP3 : openssl (EulerOS-SA-2019-2642)NessusHuawei Local Security Checks
low
131617EulerOS 2.0 SP2 : openssl (EulerOS-SA-2019-2464)NessusHuawei Local Security Checks
low
130807EulerOS 2.0 SP8 : compat-openssl10 (EulerOS-SA-2019-2098)NessusHuawei Local Security Checks
low
130806EulerOS 2.0 SP8 : openssl (EulerOS-SA-2019-2097)NessusHuawei Local Security Checks
medium
130678EulerOS 2.0 SP5 : openssl (EulerOS-SA-2019-2216)NessusHuawei Local Security Checks
low
129653Fedora 31 : 1:compat-openssl10 (2019-db06efdea1)NessusFedora Local Security Checks
high
129368Fedora 29 : 1:compat-openssl10 (2019-9a0a7c0986)NessusFedora Local Security Checks
high
129319Fedora 30 : 1:compat-openssl10 (2019-00c25b9379)NessusFedora Local Security Checks
high
129198EulerOS 2.0 SP3 : openssl1.1.0f (EulerOS-SA-2019-2005)NessusHuawei Local Security Checks
low
128914EulerOS 2.0 SP2 : openssl110f (EulerOS-SA-2019-1862)NessusHuawei Local Security Checks
low
128813EulerOS 2.0 SP5 : openssl110h (EulerOS-SA-2019-1890)NessusHuawei Local Security Checks
high
128117OpenSSL 1.1.0 < 1.1.0l Multiple VulnerabilitiesNessusWeb Servers
low
128116OpenSSL 1.1.1 < 1.1.1d Multiple VulnerabilitiesNessusWeb Servers
medium
128115OpenSSL 1.0.2 < 1.0.2t Multiple VulnerabilitiesNessusWeb Servers
low