Lucene search

K
lenovoLenovoLENOVO:PS500048-NOSID
HistoryAug 14, 2016 - 12:00 a.m.

Security Losses from Obsolete and Truncated Transcript Hashes (SLOTH)

2016-08-1400:00:00
support.lenovo.com
63

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

65.7%

Lenovo Security Advisory: LEN-4603

Potential Impact: An attacker with man-in-the-middle capabilities could decrypt encrypted traffic or impersonate a legitimate client or server

**Severity:**Medium

Scope of Impact: Industry-Wide

Summary Description:

A flaw was found in the way the TLS 1.2 protocol could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. An attacker with man-in-the-middle capabilities who is able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.

This vulnerability has been given the name “Security Losses from Obsolete and Truncated Transcript Hashes” or “SLOTH”.

We continue to monitor for practical collision attacks against SHA1 and will issue updated guidance and fixes should they appear.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update to the most recent software available for your affected product by using the links below.

Product Impact:

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.003 Low

EPSS

Percentile

65.7%