Security Advisory - Three OpenSSL Vulnerabilities in Huawei Products

On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities.

If a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack. (Vulnerability ID: HWPSIRT-2017-02005)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-3730.

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. (Vulnerability ID: HWPSIRT-2017-02006)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-3731.

There is a vulnerability in the x86_64 Montgomery squaring procedure, if DH parameters are used and a private key is shared between multiple clients, a successful exploit could allow the attacker to access sensitive private key information. (Vulnerability ID: HWPSIRT-2017-02007)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-3732.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:

<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170503-01-openssl-en&gt;