3.7
CVSSv3

CVE-2016-0701

Published: 15/02/2016 Updated: 12/02/2023
CVSS v2 Base Score: 2.6 | Impact Score: 2.9 | Exploitability Score: 4.9
CVSS v3 Base Score: 3.7 | Impact Score: 1.4 | Exploitability Score: 2.2
VMScore: 231
Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N

Vulnerability Summary

The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 prior to 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange, which makes it easier for remote malicious users to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as demonstrated by a number in an X9.42 file.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

openssl openssl 1.0.2a

openssl openssl 1.0.2e

openssl openssl 1.0.2b

openssl openssl 1.0.2c

openssl openssl 1.0.2

openssl openssl 1.0.2d

Vendor Advisories

OpenSSL could be made to expose sensitive information over the network ...
It was found that OpenSSL used weak Diffie-Hellman parameters based on unsafe primes, which were generated and stored in X942-style parameter files An attacker who could force the peer to perform multiple handshakes using the same private DH component could use this flaw to conduct man-in-the-middle attacks on the SSL/TLS connection ...
On January 28, 2016, the OpenSSL Project released a security advisory detailing two vulnerabilities Multiple Cisco products incorporate a version of the OpenSSL package affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to conduct man-in-the-middle attacks on an SSL/TLS connection This advisory will be ...

Exploits

Orion Elite Hidden IP Browser Pro versions 10 through 79 have insecure versions of Tor and OpenSSL included and also suffer from man-in-the-middle vulnerabilities ...

Github Repositories

课前须知 课程主页 课程安排:50学时授课+6学时研讨+2学时复习 成绩评定: 期末考试60% 平时作业25% (Project 15%,各章节作业10%) 课堂等平时表现5%+课堂测试10%(2-3次) 第一章:网络安全综述 11 网络安全概述 网络安全事件举例 网络监听 网络监听 假冒站点phishing

Recent Articles

OpenSSL patch quashes rare HTTPS nasty, shores up crypto chops
The Register • Team Register • 29 Jan 2016

Feet up for the many, head's down and patch for the rest.

OpenSSL maintainers have pushed a pair of patches, crushing a dangerous but uncommon bug that allows HTTPS to be unravelled while also hardening servers against downgrade attacks. Affected servers are open to key recovery attacks only if it runs certain Digital Signature Algorithm and static Diffie-Hellman key exchange subgroups, while running OpenSSL version 1.0.2. The high severity bug (CVE-2016-0701) revealed by Adobe engineer Antonio Sanso and which is fixed in version 1.0.2f. Carnegie Mello...

References

CWE-200http://www.openssl.org/news/secadv/20160128.txthttp://intothesymmetry.blogspot.com/2016/01/openssl-key-recovery-attack-on-dh-small.htmlhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05164821http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlhttp://www.securityfocus.com/bid/91787http://www.securityfocus.com/bid/82233http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.htmlhttp://www.ubuntu.com/usn/USN-2883-1http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176373.htmlhttp://www.securitytracker.com/id/1034849https://security.gentoo.org/glsa/201601-05https://www.kb.cert.org/vuls/id/257823http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390893https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03724en_ushttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujul2020.htmlhttps://www.oracle.com/security-alerts/cpuoct2020.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdfhttps://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=c5b831f21d0d29d1e517d139d9d101763f60c9a2https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=878e2c5b13010329c203f309ed0c8f2113f85648https://nvd.nist.govhttps://usn.ubuntu.com/2883-1/https://www.cisa.gov/uscert/ics/advisories/icsa-22-349-21https://www.kb.cert.org/vuls/id/257823