OpenSSL CVE-2016-0701 Information Disclosure Vulnerability

description-logoDescription

Severity: HighHistorically OpenSSL usually only ever generated DH parameters based on "safe"primes. More recently (in version 1.0.2) support was provided for generatingX9.42 style parameter files such as those required for RFC 5114 support. Theprimes used in such files may not be "safe". Where an application is using DHconfigured with parameters based on primes that are not "safe" then an attackercould use this fact to find a peer's private DH exponent. This attack requiresthat the attacker complete multiple handshakes in which the peer uses the sameprivate DH exponent. For example this could be used to discover a TLS server'sprivate DH exponent if it's reusing the private DH exponent or it's using astatic DH ciphersuite.OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS.It is not on by default. If the option is not set then the server reuses thesame private DH exponent for the life of the server process and would bevulnerable to this attack. It is believed that many popular applications do setthis option and would therefore not be at risk.OpenSSL before 1.0.2f will reuse the key if:It will not reuse the key for DHE ciphers suites if:Non-safe primes are generated by OpenSSL when using:The fix for this issue adds an additional check where a "q" parameter isavailable (as is the case in X9.42 based parameters). This detects theonly known attack, and is the only possible defense for static DH ciphersuites.This could have some performance impact.Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by defaultand cannot be disabled. This could have some performance impact.This issue affects OpenSSL version 1.0.2.OpenSSL 1.0.2 users should upgrade to 1.0.2fOpenSSL 1.0.1 is not affected by this CVE because it does not support X9.42based parameters. It is possible to generate parameters using non "safe" primes,but this option has always been documented as requiring single use and is notthe default or believed to be common. However, as a precaution, theSSL_OP_SINGLE_DH_USE change has also been backported to 1.0.1r.This issue was reported to OpenSSL on 12 January 2016 by Antonio Sanso (Adobe).The fix was developed by Matt Caswell of the OpenSSL development teamcore team).

affected-products-logoAffected Applications

OpenSSL

CVE References

CVE-2016-0701