|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
OpenSSL: obtaining private exponent via DH Small Subgroups
Synthesis of the vulnerability
In some special configurations, an attacker can find the private DH exponent of the OpenSSL peer, in order to decrypt other sessions.
Vulnerable systems: Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, ASA, AsyncOS, Cisco ESA, Cisco IPS, Nexus by Cisco, NX-OS, Cisco CUCM, Cisco Manager Attendant Console, Cisco IP Phone, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, HP Switch, Tivoli Storage Manager, Tivoli Workload Scheduler, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, Data ONTAP, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE, Oracle Communications, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Solaris, WebLogic, Puppet, stunnel, Ubuntu, VxWorks.
Severity of this threat: 2/4.
Consequences of an attack: data reading, data creation/edition.
Pirate's origin: internet client.
Creation date: 28/01/2016.
Références of this weakness: 1979602, 2003480, 2003620, 2003673, 9010060, BSA-2016-005, bulletinjan2018, c05390893, CERTFR-2016-AVI-041, cisco-sa-20160129-openssl, cpujul2019, cpuoct2017, CVE-2016-0701, FEDORA-2016-527018d2ff, HPESBHF03703, JSA10759, NTAP-20160201-0001, openSUSE-SU-2016:0637-1, SA111, SOL33209124, SOL64009378, USN-2883-1, VIGILANCE-VUL-18836, VN-2016-002, VU#257823.
Description of the vulnerability
Since version 1.0.2, the OpenSSL library can generate DH unsafe parameters of style X9.42 (subgroup size "q"), to support the RFC 5114.
In this case, an attacker can find the private DH exponent of the peer, if the DH key is reused. The DH key is reused in the following cases:
- SSL_CTX_set_tmp_dh() or SSL_set_tmp_dh() is used without the option SSL_OP_SINGLE_DH_USE set, which is rare.
- SSL_CTX_set_tmp_dh_callback() or SSL_set_tmp_dh_callback() is used in an undocumented mode.
- Static DH ciphersuites are used.
In some special configurations, an attacker can therefore find the private DH exponent of the OpenSSL peer, in order to decrypt other sessions.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides an applications vulnerabilities patch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.