OpenSSL 1.x < 1.0.0e Multiple Vulnerabilities

medium Nessus Plugin ID 56162

Synopsis

The remote web server is affected by multiple SSL-related vulnerabilities.

Description

According to its banner, the remote web server is running a version of OpenSSL 1.x prior to 1.0.0e. It is, therefore, affected by the following vulnerabilities :

- An error exists related to ECDSA signatures and binary curves. The implementation of curves over binary fields could allow a remote, unauthenticated attacker to determine private key material via timing attacks.
(CVE-2011-1945)

- An error exists in the internal certificate verification process that can allow improper acceptance of a certificate revocation list (CRL) if the list's 'nextUpdate' field contains a date in the past. Note that this internal CRL checking is not enabled by default. (CVE-2011-3207)

- An error exists in the code for the ephemeral (EC)DH cipher suites that can allow a remote attacker to crash the process. (CVE-2011-3210)

Solution

Upgrade to OpenSSL 1.0.0e or later.

See Also

https://www.openssl.org/news/secadv/20110906.txt

https://www.openssl.org/news/changelog.html

https://bugzilla.redhat.com/show_bug.cgi?id=736079

https://bugzilla.redhat.com/show_bug.cgi?id=736087

https://eprint.iacr.org/2011/232.pdf

http://www.nessus.org/u?68e676f0

Plugin Details

Severity: Medium

ID: 56162

File Name: openssl_1_0_0e.nasl

Version: 1.12

Type: combined

Agent: windows, macosx, unix

Family: Web Servers

Published: 9/12/2011

Updated: 8/21/2023

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2011-3207

Vulnerability Information

CPE: cpe:/a:openssl:openssl

Required KB Items: installed_sw/OpenSSL

Exploit Ease: No known exploits are available

Patch Publication Date: 9/6/2011

Vulnerability Publication Date: 5/17/2011

Reference Information

CVE: CVE-2011-1945, CVE-2011-3207, CVE-2011-3210

BID: 47888, 49469, 49471

CERT: 536044