The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of OpenSSL: obtaining private exponent via DH Small Subgroups

Synthesis of the vulnerability

In some special configurations, an attacker can find the private DH exponent of the OpenSSL peer, in order to decrypt other sessions.
Severity of this threat: 2/4.
Creation date: 28/01/2016.
Références of this weakness: 1979602, 2003480, 2003620, 2003673, 9010060, BSA-2016-005, bulletinjan2018, c05390893, CERTFR-2016-AVI-041, cisco-sa-20160129-openssl, cpujul2019, cpuoct2017, CVE-2016-0701, FEDORA-2016-527018d2ff, HPESBHF03703, JSA10759, NTAP-20160201-0001, openSUSE-SU-2016:0637-1, SA111, SOL33209124, SOL64009378, USN-2883-1, VIGILANCE-VUL-18836, VN-2016-002, VU#257823.

Description of the vulnerability

Since version 1.0.2, the OpenSSL library can generate DH unsafe parameters of style X9.42 (subgroup size "q"), to support the RFC 5114.

In this case, an attacker can find the private DH exponent of the peer, if the DH key is reused. The DH key is reused in the following cases:
 - SSL_CTX_set_tmp_dh() or SSL_set_tmp_dh() is used without the option SSL_OP_SINGLE_DH_USE set, which is rare.
 - SSL_CTX_set_tmp_dh_callback() or SSL_set_tmp_dh_callback() is used in an undocumented mode.
 - Static DH ciphersuites are used.

In some special configurations, an attacker can therefore find the private DH exponent of the OpenSSL peer, in order to decrypt other sessions.
Full Vigil@nce bulletin... (Request your free trial)

This vulnerability bulletin impacts software or systems such as Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Brocade vTM, ASA, AsyncOS, Cisco ESA, Cisco IPS, Nexus by Cisco, NX-OS, Cisco CUCM, Cisco Manager Attendant Console, Cisco IP Phone, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, HP Switch, Tivoli Storage Manager, Tivoli Workload Scheduler, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, Data ONTAP 7-Mode, NetScreen Firewall, ScreenOS, OpenSSL, openSUSE, Oracle Communications, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Solaris, WebLogic, Puppet, stunnel, Ubuntu, VxWorks.

Our Vigil@nce team determined that the severity of this security note is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this cybersecurity note.

Solutions for this threat

OpenSSL: version 1.0.2f.
The version 1.0.2f is fixed:
  http://www.openssl.org/source/
  ftp://ftp.openssl.org/source/

Blue Coat: solution for OpenSSL.
The solution is indicated in information sources.

Brocade: solution for multiples vulnerabilities (13/04/2016).
The solution is indicated in information sources.

Cisco: solution for OpenSSL.
The solution is indicated in information sources. (Each product has a defect record.)

Extreme Networks: solution for OpenSSL.
The solution is indicated in information sources.

F5 BIG-IP: solution for OpenSSL.
The solution is indicated in information sources.

Fedora: new openssl packages.
New packages are available:
  Fedora 23: openssl 1.0.2f-1.fc23

HPE Comware Switch: fixed versions for OpenSSL.
Fixed versions are indicated in information sources.

IBM Spectrum Protect: versions 7.1.6.5 and 8.1.0.2.
Versions 7.1.6.5 and 8.1.0.2 are fixed:
  Version 7.1.6.5 : http://www-01.ibm.com/support/docview.wss?uid=swg24042496
  Version 8.1.0.2: http://www.ibm.com/support/docview.wss?uid=swg24043351

IBM Tivoli Workload Scheduler: patch for OpenSSL.
A patch is indicated in information sources.

ITeFix Copssh: version 5.4.3.
The version 5.4.3 is fixed:
  https://www.itefix.net/copssh

Juniper: solution for OpenSSL.
The solution is indicated in information sources.

NetApp Data ONTAP: solution for OpenSSL 01/2016.
The solution is indicated in information sources.

openSUSE 11.4: new openssl packages.
New packages are available:
  openSUSE 11.4: openssl 1.0.1p-71.1

Oracle Communications: CPU of January 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2625594.1
  https://support.oracle.com/rs?type=doc&id=2626101.1
  https://support.oracle.com/rs?type=doc&id=2628576.1
  https://support.oracle.com/rs?type=doc&id=2626102.1
  https://support.oracle.com/rs?type=doc&id=2622427.1
  https://support.oracle.com/rs?type=doc&id=2595443.1
  https://support.oracle.com/rs?type=doc&id=2595442.1
  https://support.oracle.com/rs?type=doc&id=2617852.1
  https://support.oracle.com/rs?type=doc&id=2626103.1

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

Oracle Database: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2534806.1

Oracle Fusion Middleware: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2534806.1

Oracle Solaris: patch for third party software of January 2018 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Puppet Labs Puppet: version 3.8.6.
The version 3.8.6 is fixed.

stunnel: version 5.30.
The version 5.30 is fixed:
  https://www.stunnel.org/downloads.html

Ubuntu: new libssl1.0.0 packages.
New packages are available:
  Ubuntu 15.10: libssl1.0.0 1.0.2d-0ubuntu1.3

Wind River VxWorks: solution for OpenSSL.
The solution is indicated in information sources.
Full Vigil@nce bulletin... (Request your free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerability patch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.