#VU9594 Improper input validation in OpenSSL - CVE-2017-3737


| Updated: 2018-02-01

Vulnerability identifier: #VU9594

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-3737

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OpenSSL
Server applications / Encryption software

Vendor: OpenSSL Software Foundation

Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information on the target system.

The weakness exists due to an "error state mechanism" when SSL_read() or SSL_write() is called directly after SSL object. A remote attacker can a specially crafted input, trigger a fatal error during a handshake and return it in the initial function call to access or modify sensitive information.

Mitigation
Update to version 1.0.2n.

Vulnerable software versions

OpenSSL: 1.0.2m - 1.0.2

External links
https://www.openssl.org/news/secadv/20171207.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM GCM16 & GCM32 and LCM8 & LCM16 KVM Switch Firmware
Multiple vulnerabilities in IBM Netezza Performance Server
Multiple vulnerabilities in Dell Networker
Multiple vulnerabilities in QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter
Multiple vulnerabilities in IBM Cognos Analytics
Information disclosure in Siemens Industrial Products
Multiple vulnerabilities in IBM Cognos Business Intelligence Server
Amazon Linux AMI update for openssl
Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition
OpenSUSE Linux update for virtualbox