CVE-2020-1968

2020-09-0916:51:54

redhat.com

access.redhat.com

openssl

raccoon attack

tls flaw

data confidentiality

mitigation

dh ciphersuites

static ciphersuites

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

3.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS

0.006

Percentile

78.1%

JSON

A flaw was found in openssl in versions 1.0.2 to 1.0.2w. A Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The highest threat from this vulnerability is to data confidentiality.

Mitigation

In OpenSSL 1.0.2e and below, this flaw can be mitigated by not enabling any ciphersuites with Diffie Hellman (DH), excluding ciphersuites using Elliptic Curve Diffie Hellman (ECDH).

In OpenSSL 1.0.2f and above, this flaw can be mitigated by not enabling static DH ciphersuites. Such ciphersuites start with DH- in OpenSSL and are mapped to IANA names that start with TLS_DH_, excluding ciphersuites that start with TLS_DH_anon. Following this convention, we see that DH-RSA-AES256-GCM-SHA384 with IANA name TLS_DH_RSA_WITH_AES_256_GCM_SHA384 is affected and should not be used in a mitigation of this flaw. However, ECDH-RSA-AES128-GCM-SHA256 with IANA name TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 is not affected and may be used in a mitigation to this flaw, as it does not follow the DH- or TLS_DH_ naming convention.