The MOD_EXP_CTIME_COPY_FROM_PREBUF function in crypto/bn/bn_exp.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not properly consider cache-bank access times during modular exponentiation, which makes it easier for local users to discover RSA keys by running a crafted application on the same Intel Sandy Bridge CPU core as a victim and leveraging cache-bank conflicts, aka a CacheBleed attack.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Versions of OpenSSL prior to 1.0.1s, or 1.0.2g are unpatched for the following vulnerabilities :

 - A flaw exists in the 'SRP_VBASE_get_by_user' method in the SRP Server 'apps/s_server.c' that is triggered when handling invalid usernames. With a specially crafted username, a remote attacker can cause the service to leak 300 bytes of memory per connection, exhausting available memory resources.(
 - A flaw exists in the 'doapr_outch()' function in 'crypto/bio/b_print.c' that is triggered when failing to allocate memory, as the function's return value has no way to signal this error to a calling function. This may allow a context-dependent attacker to corrupt memory and crash a process linked against the library or potentially execute arbitrary code.
 - An out-of-bounds read flaw exists in the 'fmtstr()' function in 'crypto/bio/b_print.c' that is triggered when printing very long strings. This may allow a context-dependent attacker to crash a process linked against the library or to disclose memory contents.
 - A NULL pointer dereference flaw exists in the 'BN_hex2bn()' and 'BN_dec2bn()' functions in 'crypto/bn/bn_print.c'. This may allow a context-dependent attacker to trigger a heap corruption, potentially allowing the execution of arbitrary code.
 - SSLv2 contains a flaw in its implementation, allowing for a cross-protocol Bleichenbacher padding oracle attack (an adaptive chosen-ciphertext attack). Such an attack may allow a man-in-the-middle attacker to decrypt intercepted TLS connections via a series of specially crafted connections to an SSLv2 server that uses the same private key. The monitored connections required to conduct this attack can use any version of the SSL or TLS protocols, including TLS 1.2, as long as they all use the same RSA key exchange method. With each connection, the server response will vary enough so as to leak information to the attacker about the secret keys in use for the victim TLS connection. This information can in turn be used to eventually decrypt the entire TLS connection and gain access to all plaintext traffic between the victim and server.
 - A double-free flaw exists that is triggered as user-supplied input is not properly validated when parsing malformed DSA private keys. This may allow an attacker to corrupt memory to cause a denial of service or potentially execute arbitrary code.
 - A side-channel attack exists that is triggered during the handling of the cache-bank conflicts on the Intel Sandy-bridge microarchitecture. This may allow an attacker to gain access to RSA key information.
 - A flaw exists in 's2_srvr.c' that is triggered as it does not properly enforce that the 'clear-key-length' is 0 for non-export ciphers. This may allow an attacker to displace encrypted-key bytes if clear-key bytes are present for these ciphers, which can allow the attacker to gain access to SSLv2 master-key information.
 - A flaw exists in 's2_srvr.c' that is triggered when the incorrect bytes in the master-key are overwritten during the application of Bleichenbacher protection mechanisms for export cipher suites. This may allow an attacker to potentially execute more efficient variants of the DROWN attack.

The remote host is running a version of macOS that is prior to 10.14. It is, therefore, affected by multiple vulnerabilities in the following components :

 - afpserver
 - AppleGraphicsControl
 - Application Firewall
 - App Store
 - APR
 - ATS
 - Auto Unlock
 - Bluetooth
 - CFNetwork
 - CoreFoundation
 - CoreText
 - Crash Reporter
 - CUPS
 - Dictionary
 - Grand Central Dispatch
 - Heimdal
 - Hypervisor
 - iBooks
 - Intel Graphics Driver
 - IOHIDFamily
 - IOKit
 - IOUserEthernet
 - Kernel
 - LibreSSL
 - Login Window
 - mDNSOffloadUserClient
 - MediaRemote
 - Microcode
 - Security
 - Spotlight
 - Symptom Framework
 - Text
 - Wi-Fi

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Versions of OpenSSL prior to 1.0.1s, or 1.0.2g are unpatched for the following vulnerabilities :

According to its banner, the remote host is running a version of OpenSSL 1.0.2 prior to 1.0.2g. It is, therefore, affected by the following vulnerabilities :

  - A key disclosure vulnerability exists due to improper handling of cache-bank conflicts on the Intel Sandy-bridge microarchitecture. An attacker can exploit this to gain access to RSA key information. (CVE-2016-0702)

  - A double-free error exists due to improper validation of user-supplied input when parsing malformed DSA private keys. A remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. (CVE-2016-0705)

  - A NULL pointer dereference flaw exists in the BN_hex2bn() and BN_dec2bn() functions. A remote attacker can exploit this to trigger a heap corruption, resulting in the execution of arbitrary code. (CVE-2016-0797)

  - A denial of service vulnerability exists due to improper handling of invalid usernames. A remote attacker can exploit this, via a specially crafted username, to leak 300 bytes of memory per connection, exhausting available memory resources. (CVE-2016-0798)

  - Multiple memory corruption issues exist that allow a remote attacker to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0799)

  - A flaw exists that allows a cross-protocol Bleichenbacher padding oracle attack known as DROWN (Decrypting RSA with Obsolete and Weakened eNcryption). This vulnerability exists due to a flaw in the Secure Sockets Layer Version 2 (SSLv2) implementation, and it allows captured TLS traffic to be decrypted. A man-in-the-middle attacker can exploit this to decrypt the TSL connection by utilizing previously captured traffic and weak cryptography along with a series of specially crafted connections to an SSLv2 server that uses the same private key. (CVE-2016-0800)

ID	Name	Product	Family	Published	Updated	Severity
503071	Siemens SCALANCE X-200RNA Switch Devices Exposure of Sensitive Information to an Unauthorized Actor (CVE-2016-0702)	Tenable OT Security	Tenable.ot	3/13/2025	3/13/2025	medium
9128	OpenSSL 1.0.1 < 1.0.1s / 1.0.2 < 1.0.2g Multiple Vulnerabilities (DROWN)	Nessus Network Monitor	Web Servers	3/1/2016	3/6/2019	medium
700518	macOS < 10.14 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	4/10/2019	4/10/2019	critical
801963	OpenSSL 1.0.1 < 1.0.1s / 1.0.2 < 1.0.2g Multiple Vulnerabilities (DROWN)	Log Correlation Engine	Web Servers	3/7/2016		medium

Detections

Analytics

Plugins Search

medium

medium

critical

medium