Bug 1301845 (CVE-2016-0701)
Summary: | CVE-2016-0701 OpenSSL: DH small subgroups | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | jaeshin, redhat-bugzilla, security-response-team, tmraz |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
It was found that OpenSSL used weak Diffie-Hellman parameters based on unsafe primes, which were generated and stored in X9.42-style parameter files. An attacker who could force the peer to perform multiple handshakes using the same private DH component could use this flaw to conduct man-in-the-middle attacks on the SSL/TLS connection.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-01-29 02:48:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1301847 |
Description
Huzaifa S. Sidhpurwala
2016-01-26 07:26:44 UTC
Acknowledgements: Red Hat would like to thank the OpenSSL project for reporting this issue. Upstream acknowledges Antonio Sanso as the original reporter of this issue. Statement: OpenSSL 1.0.2 provides support for generating X9.42 style parameter files. This feature does not exist in any previous versions of OpenSSL. Therefore versions of OpenSSL shipped with Red Hat Enterprise Linux 5, 6, and 7, and JBoss EAP and JBoss Web Server are not vulnerable to this security flaw. Versions of OpenSSL shipped in Red Hat Enterprise Linux do not enable the SSL_OP_SINGLE_DH_USE option. However, most applications do not use SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh(). Most of them use SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() without setting the key. This has the same effect as setting SSL_OP_SINGLE_DH_USE. Public via: External References: https://www.openssl.org/news/secadv/20160128.txt Detailed write-up by original reporter: http://intothesymmetry.blogspot.com/2016/01/openssl-key-recovery-attack-on-dh-small.html openssl-1.0.2f-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |