Main
Vulnerability Database
Exploits
ID:8589 - Exploit for Information disclosure in OpenSSL - CVE-2016-0800
ID:8589 - Exploit for Information disclosure in OpenSSL - CVE-2016-0800
Published: November 8, 2022
Vulnerability identifier: #VU1914
Vulnerability risk: Medium
CVE-ID: CVE-2016-0800
CWE-ID: CWE-327
Exploitation vector: Remote access
Vulnerable software:
OpenSSL
OpenSSL
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to decrypt sensitive information.
The vulnerability exists due to usage of weak SSLv2 protocol, which requires to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data. A remote attacker can decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle.
The vulnerability is dubbed "DROWN" attack.
The vulnerability exists due to usage of weak SSLv2 protocol, which requires to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data. A remote attacker can decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle.
The vulnerability is dubbed "DROWN" attack.
Remediation
Update to version 1.0.1s or 1.0.2g.