Vulnerability in OpenSSL (CVE-2015-0293, CVE-2016-0704)

2016-03-01T00:00:00
ID OPENSSL:CVE-2015-0293,CVE-2016-0704
Type openssl
Reporter OpenSSL
Modified 2016-03-01T00:00:00

Description

This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address the vulnerability CVE-2015-0293. s2_srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. This provides a Bleichenbacher oracle, and could potentially allow more efficient variants of the DROWN attack. Reported by David Adrian and J.Alex Halderman (University of Michigan) on 10th February 2016.