Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2016-0800

Опубликовано: 01 мар. 2016
Источник: debian
EPSS Высокий

Описание

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
opensslfixed1.0.0c-2package
nssfixed3.13package

Примечания

  • openssl 1.0.0c-2 dropped SSLv2 support

  • NSS disabled SSLv2 by default in 3.13

  • https://www.openssl.org/news/secadv/20160301.txt

  • https://www.drownattack.com/

  • GNUTLS never implemented SSLv2

  • http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html

EPSS

Процентиль: 100%
0.89906
Высокий

Связанные уязвимости

ubuntu логотип

CVE-2016-0800

CVSS3: 5.9
ubuntu
больше 9 лет назад

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

redhat логотип

CVE-2016-0800

redhat
больше 9 лет назад

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

nvd логотип

CVE-2016-0800

CVSS3: 5.9
nvd
больше 9 лет назад

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

github логотип

GHSA-fqw2-3v24-gc79

CVSS3: 5.9
github
около 3 лет назад

The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

fstec логотип

BDU:2016-00661

fstec
больше 9 лет назад

Уязвимость библиотеки OpenSSL, позволяющая нарушителю расшифровать передаваемые данные

EPSS

Процентиль: 100%
0.89906
Высокий