ID CVE-2018-0732
Summary During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).
References
Vulnerable Configurations
  • cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2:beta1:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2:beta2:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2:beta3:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2m:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2m:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2n:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2n:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.0.2o:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.0.2o:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0:-:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0:pre1:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0:pre1:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0:pre2:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0:pre2:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0:pre3:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0:pre3:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0:pre4:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0:pre4:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0:pre5:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0:pre5:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0:pre6:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0:pre6:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0a:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0a:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0b:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0b:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0c:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0c:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0d:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0d:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0e:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0e:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0f:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0f:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0g:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0g:*:*:*:*:*:*:*
  • cpe:2.3:a:openssl:openssl:1.1.0h:*:*:*:*:*:*:*
    cpe:2.3:a:openssl:openssl:1.1.0h:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 30-05-2019 - 18:29)
Impact:
Exploitability:
CWE CWE-320
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2018:2552
  • rhsa
    id RHSA-2018:2553
  • rhsa
    id RHSA-2018:3221
  • rhsa
    id RHSA-2018:3505
  • rhsa
    id RHSA-2019:1296
  • rhsa
    id RHSA-2019:1297
rpms
  • openssl-1:1.0.2k-16.el7
  • openssl-devel-1:1.0.2k-16.el7
  • openssl-libs-1:1.0.2k-16.el7
  • openssl-perl-1:1.0.2k-16.el7
  • openssl-static-1:1.0.2k-16.el7
refmap via4
bid 104442
confirm
debian
  • DSA-4348
  • DSA-4355
gentoo GLSA-201811-03
misc https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
mlist [debian-lts-announce] 20180728 [SECURITY] [DLA 1449-1] openssl security update
sectrack 1041090
ubuntu
  • USN-3692-1
  • USN-3692-2
Last major update 30-05-2019 - 18:29
Published 12-06-2018 - 13:29
Back to Top