SUSE update for openssl1
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2023-0465 CVE-2023-0466 |
| CWE-ID | CWE-347 CWE-254 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
SUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE Operating systems & Components / Operating system SUSE Linux Enterprise Server 11 Operating systems & Components / Operating system libopenssl1_0_0 Operating systems & Components / Operating system package or component openssl1-doc Operating systems & Components / Operating system package or component openssl1 Operating systems & Components / Operating system package or component libopenssl1-devel Operating systems & Components / Operating system package or component libopenssl1_0_0-32bit Operating systems & Components / Operating system package or component |
| Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU74148
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-0465
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error when validating certificate policies in leaf certificates. A remote attacker that controls a malicious CA server can issue a certificate that will be validated by the application.
Update the affected package openssl1 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
libopenssl1_0_0: before 1.0.1g-0.58.62.1
openssl1-doc: before 1.0.1g-0.58.62.1
openssl1: before 1.0.1g-0.58.62.1
libopenssl1-devel: before 1.0.1g-0.58.62.1
libopenssl1_0_0-32bit: before 1.0.1g-0.58.62.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:libopenssl1_0_0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openssl1-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openssl1:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libopenssl1-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libopenssl1_0_0-32bit:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2023/suse-su-20231926-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security features bypass
EUVDB-ID: #VU74149
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-0466
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error within the X509_VERIFY_PARAM_add0_policy() function, which does not perform the certificate policy check despite being implicitly enabled. A remote attacker can bypass expected security restrictions and perform MitM attack.
Update the affected package openssl1 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 11 SP4 LTSS EXTREME CORE: 11-SP4
SUSE Linux Enterprise Server 11: SP4
libopenssl1_0_0: before 1.0.1g-0.58.62.1
openssl1-doc: before 1.0.1g-0.58.62.1
openssl1: before 1.0.1g-0.58.62.1
libopenssl1-devel: before 1.0.1g-0.58.62.1
libopenssl1_0_0-32bit: before 1.0.1g-0.58.62.1
CPE2.3- cpe:2.3:o:suse:suse_linux_enterprise_server_11_sp4_ltss_extreme_core:11-SP4:*:*:*:*:*:*:*
- cpe:2.3:o:suse:suse_linux_enterprise_server_11:SP4:*:*:*:*:*:*:*
- cpe:2.3:a:suse:libopenssl1_0_0:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openssl1-doc:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:openssl1:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libopenssl1-devel:*:*:*:*:*:suse_linux:*:*
- cpe:2.3:a:suse:libopenssl1_0_0-32bit:*:*:*:*:*:suse_linux:*:*
https://www.suse.com/support/update/announcement/2023/suse-su-20231926-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
