Security Advisory - OpenSSL Montgomery multiplication may produce incorrect results Vulnerability

2017-04-1900:00:00

Huawei Technologies

www.huawei.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:N/A:P

0.008 Low

EPSS

Percentile

81.0%

JSON

The Broadwell-specific Montgomery multiplication procedure has a denial of service (DoS) vulnerability when handling input longer than 256 bits.Only EC algorithms that use Brainpool P-512 curves are affected. An attacker could exploit this vulnerability to cause DoS during ECDH key negotiation.(Vulnerability ID: HWPSIRT-2016-11044)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2016-7055.

Huawei has released software updates to fix this vulnerability. This advisory is available at the following link:

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170419-01-openssl-en

CPENameOperatorVersion
9032eqV100R001C10
ap5030dneqV200R007C00SPC100
ap5030dneqV200R007C10
ap5030dneqV200R007C10SPC100
ap5030dneqV200R007C10SPC200
ap8000eqV200R008C00
e9000 chassiseqV100R001C10SPC236
e9000 chassiseqV100R001C10SPC236T
oceanstor backup softwareeqV200R001C00
oceanstor backup softwareeqV200R001C00SPC200

Name	Operator	Version
9032	eq	V100R001C10
ap5030dn	eq	V200R007C00SPC100
ap5030dn	eq	V200R007C10
ap5030dn	eq	V200R007C10SPC100
ap5030dn	eq	V200R007C10SPC200
ap8000	eq	V200R008C00
e9000 chassis	eq	V100R001C10SPC236
e9000 chassis	eq	V100R001C10SPC236T
oceanstor backup software	eq	V200R001C00
oceanstor backup software	eq	V200R001C00SPC200