CVE-2015-7744

Опубликовано: 22 янв. 2016

Источник: nvd

CVSS3: 5.9

CVSS2: 2.6

EPSS Низкий

Описание

wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, aka a Lenstra attack.

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00015.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00016.html
Mailing List
Third Party Advisory
http://wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html
Release Notes
Vendor Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
Vendor Advisory
http://www.securitytracker.com/id/1034708
Broken Link
Third Party Advisory
VDB Entry
https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
Exploit
Third Party Advisory
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
Exploit
Third Party Advisory
https://wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html
Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00015.html
Mailing List
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00016.html
Mailing List
Third Party Advisory
http://wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html
Release Notes
Vendor Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
Vendor Advisory
http://www.securitytracker.com/id/1034708
Broken Link
Third Party Advisory
VDB Entry
https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf
Exploit
Third Party Advisory
https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/
Exploit
Third Party Advisory
https://wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*

Версия до 3.6.8 (исключая)

Конфигурация 2

Одно из

cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*

Версия от 5.5.0 (включая) до 5.5.46 (исключая)

cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*

Версия от 10.0.0 (включая) до 10.0.22 (исключая)

cpe:2.3:a:mariadb:mariadb:*:*:*:*:*:*:*:*

Версия от 10.1.0 (включая) до 10.1.9 (исключая)

EPSS

Процентиль: 85%

0.02661

Низкий

5.9 Medium

CVSS3

2.6 Low

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

CVE-2015-7744

CVSS3: 5.9

ubuntu

почти 10 лет назад

CVE-2015-7744

redhat

почти 11 лет назад

CVE-2015-7744

CVSS3: 5.9

debian

почти 10 лет назад

wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults ...

GHSA-f7wf-fgwg-64px

CVSS3: 5.9

github

больше 3 лет назад

BDU:2016-00137

fstec

почти 10 лет назад

Уязвимость системы управления базами данных MySQL, позволяющая нарушителю получить доступ на чтение данных

EPSS

Процентиль: 85%

0.02661

Низкий

5.9 Medium

CVSS3

2.6 Low

CVSS2

Дефекты

NVD-CWE-noinfo