Lucene search
K

2878 matches found

seebug.org
seebug.org
added 2016/03/02 12:0 a.m.326 views

Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800)

现在流行的服务器和客户端使用TLS加密, 然而由于错误配置, 许多服务器仍然支持SSLv2, 这是一种古老的协议, 许多客户端已经不支持 SSLv2。 DROWN攻击可以威胁到还在支持 SSLv2 的服务端和客户端,允许攻击者通过发送 probe 到支持 SSLv2 的使用相同密钥的服务端和客户端解密 TLS 通信。 官方关于漏洞的公告: A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and...

4.3CVSS7.3AI score0.82112EPSS
Exploits2
OpenVAS
OpenVAS
added 2016/03/02 12:0 a.m.51 views

RedHat Update for openssl RHSA-2016:0302-01

The remote host is missing an update for the SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

7.5CVSS8.6AI score0.82112EPSS
Exploits2References2
OpenVAS
OpenVAS
added 2016/03/02 12:0 a.m.42 views

CentOS Update for openssl CESA-2016:0302 centos5

Check the version of openssl SPDX-FileCopyrightText: 2016 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.882403";...

7.5CVSS7.6AI score0.82112EPSS
Exploits2References2
Debian CVE
Debian CVE
added 2016/03/02 12:0 a.m.59 views

CVE-2016-0704

An oracle protection mechanism in the getclientmasterkey function in s2srvr.c in the SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a overwrites incorrect MASTER-KEY bytes during use of export cipher suites, which makes it easier fo...

5.9CVSS8.2AI score0.06903EPSS
Exploits0
Tenable Nessus
Tenable Nessus
added 2016/03/02 12:0 a.m.40 views

Debian DSA-3500-1 : openssl - security update

Several vulnerabilities were discovered in OpenSSL, a Secure Socket Layer toolkit. - CVE-2016-0702 Yuval Yarom from the University of Adelaide and NICTA, Daniel Genkin from Technion and Tel Aviv University, and Nadia Heninger from the University of Pennsylvania discovered a side-channel attack...

10CVSS7.8AI score0.82112EPSS
Exploits2References17
Tenable Nessus
Tenable Nessus
added 2016/03/02 12:0 a.m.301 views

RHEL 6 / 7 : openssl (RHSA-2016:0301) (DROWN)

Updated openssl packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are...

10CVSS8.1AI score0.82112EPSS
Exploits2References16
RedHat Linux
RedHat Linux
added 2016/03/01 2:45 p.m.78 views

Important: Red Hat Security Advisory: openssl security update

Updated openssl packages that fix three security issues are now available for Red Hat Enterprise Linux 5 Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System CVSS base scores, which give detailed severity ratings, are available fo...

7.5CVSS7.4AI score0.82112EPSS
Exploits2References8
RedHat Linux
RedHat Linux
added 2016/03/01 2:45 p.m.5 views

openssl: assertion failure in SSLv2 servers

A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled...

5CVSS6.7AI score0.21247EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2016/03/01 2:45 p.m.6 views

openssl: assertion failure in SSLv2 servers

A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled...

5CVSS6.7AI score0.21247EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2016/03/01 2:44 p.m.8 views

openssl: Divide-and-conquer session key recovery in SSLv2

It was discovered that the SSLv2 servers using OpenSSL accepted SSLv2 connection handshakes that indicated non-zero clear key length for non-export cipher suites. An attacker could use this flaw to decrypt recorded SSLv2 sessions with the server by using it as a decryption oracle...

5.9CVSS6.8AI score0.05398EPSS
Exploits1References5
RedHat Linux
RedHat Linux
added 2016/03/01 2:44 p.m.7 views

openssl: assertion failure in SSLv2 servers

A denial of service flaw was found in the way OpenSSL handled SSLv2 handshake messages. A remote attacker could use this flaw to cause a TLS/SSL server using OpenSSL to exit on a failed assertion if it had both the SSLv2 protocol and EXPORT-grade cipher suites enabled...

5CVSS6.7AI score0.21247EPSS
Exploits0References6
OpenSSL
OpenSSL
added 2016/03/01 12:0 a.m.80 views

Vulnerability in OpenSSL - Cross-protocol attack on TLS using SSLv2 (DROWN)

A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting...

6.6AI score0.82112EPSS
Exploits2Affected Software1
OpenSSL
OpenSSL
added 2016/03/01 12:0 a.m.55 views

Vulnerability in OpenSSL - Bleichenbacher oracle in SSLv2

This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address the vulnerability CVE-2015-0293. s2srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. This provides a...

6.5AI score0.21247EPSS
Exploits0Affected Software1
OSV
OSV
added 2016/03/01 12:0 a.m.55 views

DSA-3500-1 openssl - security update

Bulletin has no description...

10CVSS6.5AI score0.53655EPSS
Exploits1
Tenable Nessus
Tenable Nessus
added 2016/02/29 12:0 a.m.42 views

OracleVM 3.2 : openssh (OVMSA-2016-0030)

The remote OracleVM system is missing necessary patches to address critical security updates : - change default value of MaxStartups - CVE-2010-5107 John Haxby - improve RNG seeding from /dev/random 681291,708056 - make ssh1's ConnectTimeout option apply to both the TCP connection and SSH banner...

7.5CVSS6.6AI score0.1651EPSS
Exploits1References2
OSV
OSV
added 2016/02/20 12:0 a.m.57 views

DLA-421-1 openssl - security update

Bulletin has no description...

5.9CVSS6.8AI score0.10731EPSS
Exploits2
OpenVAS
OpenVAS
added 2016/02/18 12:0 a.m.26 views

BSI-TR-03116-4 Policy

The German Federal Office for Information Security published a guideline with specifications for the use of communication methods. This script checks the specifications for securing communication using TLS by testing if at least one of the mandatory cipher suites are enabled on the target: - TLS...

5.9AI score
Exploits0References3
OSV
OSV
added 2016/02/15 2:59 a.m.1 views

DEBIAN-CVE-2015-3197

ssl/s2srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the getclientmasterkey and...

5.9CVSS9.2AI score0.10731EPSS
Exploits2References1
OpenSSL
OpenSSL
added 2016/01/28 12:0 a.m.65 views

Vulnerability in OpenSSL - SSLv2 doesn't block disabled ciphers

A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSLOPNOSSLv2. Found by Nimrod Aviram and Sebastian Schinzel...

7AI score0.10731EPSS
Exploits2Affected Software1
CERT
CERT
added 2016/01/28 12:0 a.m.311 views

OpenSSL re-uses unsafe prime numbers in Diffie-Hellman protocol

Overview OpenSSL may generate unsafe primes for use in the Diffie-Hellman protocol, which may lead to disclosure of enough information for an attacker to recover the private encryption key. Description CWE-325: Missing Required Cryptographic Step - CVE-2016-0701OpenSSL 1.0.2 introduced the abilit...

5.9CVSS6.7AI score0.83645EPSS
Exploits2References5
Rows per page
Query Builder