Lucene search

HistorySep 12, 2011 - 12:00 a.m.

OpenSSL 1.0.0 < 1.0.0e Multiple Vulnerabilities

2011-09-1200:00:00

www.tenable.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

9.1 High

AI Score

Confidence

High

0.567 Medium

EPSS

Percentile

97.7%

JSON

The version of OpenSSL installed on the remote host is prior to 1.0.0e. It is, therefore, affected by multiple vulnerabilities as referenced in the 1.0.0e advisory.

The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1 before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against a server that supports client authentication. (CVE-2015-1788)
The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS protocol. (CVE-2011-3210)
crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past. (CVE-2011-3207)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(56162);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/07");

  script_cve_id("CVE-2011-3207", "CVE-2011-3210", "CVE-2015-1788");
  script_bugtraq_id(47888, 49469, 49471);
  script_xref(name:"CERT", value:"536044");

  script_name(english:"OpenSSL 1.0.0 < 1.0.0e Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of OpenSSL installed on the remote host is prior to 1.0.0e. It is, therefore, affected by multiple
vulnerabilities as referenced in the 1.0.0e advisory.

  - The BN_GF2m_mod_inv function in crypto/bn/bn_gf2m.c in OpenSSL before 0.9.8s, 1.0.0 before 1.0.0e, 1.0.1
    before 1.0.1n, and 1.0.2 before 1.0.2b does not properly handle ECParameters structures in which the curve
    is over a malformed binary polynomial field, which allows remote attackers to cause a denial of service
    (infinite loop) via a session that uses an Elliptic Curve algorithm, as demonstrated by an attack against
    a server that supports client authentication. (CVE-2015-1788)

  - The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does
    not ensure thread safety during processing of handshake messages from clients, which allows remote
    attackers to cause a denial of service (daemon crash) via out-of-order messages that violate the TLS
    protocol. (CVE-2011-3210)

  - crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which
    makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to
    a time in the past. (CVE-2011-3207)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20110906.txt");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20150611.txt");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2011-3207");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2011-3210");
  script_set_attribute(attribute:"see_also", value:"https://www.cve.org/CVERecord?id=CVE-2015-1788");
  script_set_attribute(attribute:"solution", value:
"Upgrade to OpenSSL version 1.0.0e or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-3207");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2015-1788");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/09/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/09/12");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:openssl:openssl");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2011-2024 Tenable Network Security, Inc.");

  script_dependencies("openssl_version.nasl", "openssl_nix_installed.nbin", "openssl_win_installed.nbin");
  script_require_keys("installed_sw/OpenSSL");

  exit(0);
}

include('vcf.inc');
include('vcf_extras_openssl.inc');

var app_info = vcf::combined_get_app_info(app:'OpenSSL');

vcf::check_all_backporting(app_info:app_info);

var constraints = [
  { 'min_version' : '1.0.0', 'fixed_version' : '1.0.0e' }
];

vcf::openssl::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING
);

VendorProductVersionCPE
opensslopensslcpe:/a:openssl:openssl

Vendor	Product	Version	CPE
openssl	openssl		cpe:/a:openssl:openssl

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3207

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3210

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1788

www.cve.org/CVERecord?id=CVE-2011-3207

www.cve.org/CVERecord?id=CVE-2011-3210

www.cve.org/CVERecord?id=CVE-2015-1788

www.openssl.org/news/secadv/20110906.txt

www.openssl.org/news/secadv/20150611.txt

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

9.1 High

AI Score

Confidence

High

0.567 Medium

EPSS

Percentile

97.7%

JSON

Related for OPENSSL_1_0_0E.NASL