SB2018061324 - Improper input validation in openssl (Alpine package)
Published: June 13, 2018
Security Bulletin ID
SB2018061324
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Improper input validation (CVE-ID: CVE-2018-0732)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to improper handling of large prime values by the affected software during key agreement operations in a Transport Layer Security (TLS) handshake using an Ephemeral Diffie-Hellman (DHE) based cipher suite. A remote attacker can send a large prime value from a malicious OpenSSL server to a targeted OpenSSL client and cause the client to stop responding while generating a key for the prime value.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=8318a0b07a3aac56659289654c3403dfb8ee5ae1
- https://git.alpinelinux.org/aports/commit/?id=8593c3d6ba83fa5acf4bd55ff54c5481806a3596
- https://git.alpinelinux.org/aports/commit/?id=a6c1a037cfc03efb105af4f5eb6dfa305d268df3
- https://git.alpinelinux.org/aports/commit/?id=f23142862c2e144caac4022dba598819c072c867
- https://git.alpinelinux.org/aports/commit/?id=2fdc8bcc6549290b131675ef42d52243c37f3879
- https://git.alpinelinux.org/aports/commit/?id=56c7a6d7971e769c3dbec1bf8a8ef3021e34d654
- https://git.alpinelinux.org/aports/commit/?id=2258fe946d55022e3e8503b306eeabf6858ef89b
- https://git.alpinelinux.org/aports/commit/?id=86f75868acf5d2946949ee2896076f424c3a3088
- https://git.alpinelinux.org/aports/commit/?id=d59577c011626963a91f59d8cce9c55e72baf023
- https://git.alpinelinux.org/aports/commit/?id=64003a818c75a368244e5123801eeae2c9289406