Lucene search

K
huaweiHuawei TechnologiesHUAWEI-SA-20170503-01-OPENSSL
HistoryMay 03, 2017 - 12:00 a.m.

Security Advisory - Three OpenSSL Vulnerabilities in Huawei Products

2017-05-0300:00:00
Huawei Technologies
www.huawei.com
47

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.954 High

EPSS

Percentile

99.3%

On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities.

If a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack. (Vulnerability ID: HWPSIRT-2017-02005)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-3730.

If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. (Vulnerability ID: HWPSIRT-2017-02006)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-3731.

There is a vulnerability in the x86_64 Montgomery squaring procedure, if DH parameters are used and a private key is shared between multiple clients, a successful exploit could allow the attacker to access sensitive private key information. (Vulnerability ID: HWPSIRT-2017-02007)

This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-3732.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:

<http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170503-01-openssl-en&gt;

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.954 High

EPSS

Percentile

99.3%