PT-2016-1595 · Openssl+7 · Openssl+7
Nimrod Aviram
+1
·
Published
2016-01-28
·
Updated
2024-06-15
·
CVE-2015-3197
CVSS v3.1
5.9
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions 1.0.1 before 1.0.1r
OpenSSL versions 1.0.2 before 1.0.2f
Description
The issue is related to errors in cryptographic transformations in the OpenSSL library, specifically in the ssl/s2 srvr.c function. This can be exploited by a remote attacker to compromise the cryptographic protection mechanism by performing computations on SSLv2 traffic, related to the
get client master key and get client hello functions. The vulnerability makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms.Recommendations
For OpenSSL versions 1.0.1 before 1.0.1r, update to version 1.0.1r or later.
For OpenSSL versions 1.0.2 before 1.0.2f, update to version 1.0.2f or later.
As a temporary workaround, consider disabling the use of SSLv2 traffic until a patch is available. Restrict access to the
get client master key and get client hello functions to minimize the risk of exploitation.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Centos
Freebsd
Ibm Aix
Openssl
Red Hat
Suse
Virtualbox