- Description
- OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.
- Source
- openssl-security@openssl.org
- NVD status
- Modified
CVSS 3.0
- Type
- Primary
- Base score
- 5.9
- Impact score
- 3.6
- Exploitability score
- 2.2
- Vector string
- CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Severity
- MEDIUM
CVSS 2.0
- Type
- Primary
- Base score
- 4.3
- Impact score
- 2.9
- Exploitability score
- 8.6
- Vector string
- AV:N/AC:M/Au:N/C:P/I:N/A:N
- nvd@nist.gov
- CWE-125
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4847BCF3-EFCE-41AF-8E7D-3D51EB9DCC5B"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "9B89180B-FB68-4DD8-B076-16E51CC7FB91"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "4C986592-4086-4A39-9767-EF34DBAA6A53"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7B23181C-03DB-4E92-B3F6-6B585B5231B4"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "94D9EC1C-4843-4026-9B05-E060E9391734"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "B066401C-21CF-4BE9-9C55-C9F1E0C7BE3F"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "036FB24F-7D86-4730-8BC9-722875BEC807"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FDF148A3-1AA7-4F27-85AB-414C609C626F"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E15B749E-6808-4788-AE42-7A1587D8697E"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "58F80C8D-BCA2-40AD-BD22-B70C7BE1B298"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "70B78EDF-6BB7-42C4-9423-9332C62C6E43"
},
{
"criteria": "cpe:2.3:a:openssl:openssl:1.0.2m:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "E2354F82-A01B-43D2-84F4-4E94B258E091"
}
],
"operator": "OR"
}
]
},
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"
}
],
"operator": "OR"
}
]
}
]