CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
78.1%
A flaw was found in openssl in versions 1.0.2 to 1.0.2w. A Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The highest threat from this vulnerability is to data confidentiality.
In OpenSSL 1.0.2e and below, this flaw can be mitigated by not enabling any ciphersuites with Diffie Hellman (DH), excluding ciphersuites using Elliptic Curve Diffie Hellman (ECDH).
In OpenSSL 1.0.2f and above, this flaw can be mitigated by not enabling static DH ciphersuites. Such ciphersuites start with DH-
in OpenSSL and are mapped to IANA names that start with TLS_DH_
, excluding ciphersuites that start with TLS_DH_anon
. Following this convention, we see that DH-RSA-AES256-GCM-SHA384
with IANA name TLS_DH_RSA_WITH_AES_256_GCM_SHA384
is affected and should not be used in a mitigation of this flaw. However, ECDH-RSA-AES128-GCM-SHA256
with IANA name TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
is not affected and may be used in a mitigation to this flaw, as it does not follow the DH-
or TLS_DH_
naming convention.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
78.1%