The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability note CVE-2015-3193

OpenSSL: disclosure of DH private key via BN_mod_exp

Synthesis of the vulnerability

An attacker, with a significant amount of resources, can attack the DH algorithm, in some OpenSSL usages, in order to compute the private key.
Vulnerable systems: Tomcat, FabricOS, Brocade Network Advisor, Brocade vTM, Cisco ASR, Cisco ATA, Cisco AnyConnect Secure Mobility Client, ASA, AsyncOS, Cisco Content SMA, Cisco ESA, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco WSA, Cisco Wireless Controller, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiClient, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, HP Switch, IRAD, Tivoli Storage Manager, BIND, IVE OS, Juniper J-Series, Junos OS, Junos Space, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, Juniper SBR, McAfee Email Gateway, Data ONTAP, NetScreen Firewall, ScreenOS, Nodejs Core, OpenSSL, Oracle Communications, Solaris, Pulse Connect Secure, MAG Series by Pulse Secure, Pulse Secure SBR, Puppet, Slackware, stunnel, Ubuntu.
Severity of this threat: 1/4.
Consequences of a hack: data reading.
Pirate's origin: internet client.
Creation date: 03/12/2015.
Références of this weakness: 1972951, 2003480, 2003620, 2003673, 9010051, BSA-2016-006, bulletinjan2018, c05398322, CERTFR-2015-AVI-517, cisco-sa-20151204-openssl, cpuoct2017, CVE-2015-3193, FEDORA-2015-605de37b7f, HPESBHF03709, JSA10759, NTAP-20151207-0001, SA40100, SB10203, SOL12824341, SOL30714460, SOL55540723, SOL86772626, SSA:2015-349-04, USN-2830-1, VIGILANCE-VUL-18434.

Description of the vulnerability

The OpenSSL library uses the BN_mod_exp() function to perform a modular exponentiation on large numbers.

However, on an x86_64 processor, the BN_mod_exp() function can generate an incorrect result during the Montgomery Squaring procedure.

An attacker, with a significant amount of resources, can therefore attack the DH algorithm, in some OpenSSL usages, in order to compute the private key.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides software vulnerabilities alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.