Symantec Alert Vulnerability OpenSSL CVE-2016-2178 Side Channel Attack Information Disclosure Vulnerability Synopsis Bugtraq ID 91081 Urgency Rating 5.7 CVE CVE-2016-2178 Threat Breakdown Published Jun 08 2016 Severity 6.1 Classification Design Error Remote Yes Local No Impact 4 Availability User Initiated Authentication Not Required Ease of Exploit 1 Ease No Exploit Available Credibility Vendor Confirmed Last Update 06/08/2016 12:50:20 PM GMT Last Change Initial analysis. CVSS Version 2

CVSS Version 2 CVSS2 Base 4.3 CVSS2 Base 4.3 CVSS2 Base AV:N/AC:M/Au:N/C:P/I:N/A:N Vector CVSS2 Temporal 3.2 CVSS2 3.2 CVSS2 E:U/RL:OF/RC:C Temporal Temporal Vector CVSS Version 1 CVSS1 Base 1.9 CVSS1 1.4 Temporal NVD CVSS2 NVD CVSS2 BaseScore Component String

Vulnerable Systems OpenSSL Project OpenSSL 0.9.3A cpe:/a:openssl:openssl:0.9.3a NVD OpenSSL Project OpenSSL 0.9.5 cpe:/a:openssl:openssl:0.9.5 NVD Redhat Linux 6.2.0 alpha Redhat Linux 6.2.0 i386 Redhat Linux 6.2.0 sparc

OpenSSL Project OpenSSL 0.9.6 cpe:/a:openssl:openssl:0.9.6 NVD Caldera OpenLinux Server 3.1.0 Caldera OpenLinux Server 3.1.1 Caldera OpenLinux Workstation 3.1.0 Caldera OpenLinux Workstation 3.1.1 Connectiva Linux 6.0.0 EnGarde Secure Linux Secure Linux 1.0.1 HP Secure OS software for Linux 1.0.0 Mandrake 8.0.0 Mandriva Linux Mandrake 8.0.0 ppc NetBSD NetBSD 1.5.0 NetBSD NetBSD 1.5.1 NetBSD NetBSD 1.5.2 OpenSSL NetBSD CVE-2016-2178 NetBSD 1.5.3 Side Channel Attack Information Disclosure NetBSD Vulnerability NetBSD 1.6.0 NetBSD NetBSD 1.6.0 Beta OpenBSD OpenBSD 2.9.0 OpenPKG OpenPKG 1.0.0 Create Date 6/8/2016 12:54:58 PM GMT Redhat Linux 7.0.0 alpha Redhat Linux 7.0.0 i386 Redhat Linux 7.0.0 sparc Redhat Linux 7.1.0 alpha Redhat Linux 7.1.0 i386 Redhat Linux 7.2.0 alpha Redhat Linux 7.2.0 i386 Redhat Linux 7.3.0 Redhat Linux 7.3.0 i386 Trustix Secure Linux 1.5.0 Trustix Secure Linux 1.1.0 Trustix Secure Linux 1.2.0 NetBSD NetBSD 1.5.2 NetBSD NetBSD 1.5.3 NetBSD NetBSD 1.6.0 NetBSD NetBSD 1.6.0 Beta OpenBSD OpenBSD 2.9.0 OpenPKG OpenPKG 1.0.0 Redhat Linux 7.0.0 alpha Redhat Linux 7.0.0 i386 Redhat Linux 7.0.0 sparc Redhat Linux 7.1.0 alpha Redhat Linux 7.1.0 i386 Redhat Linux 7.2.0 alpha Redhat Linux 7.2.0 i386 Redhat Linux 7.3.0 Redhat Linux 7.3.0 i386 Trustix Secure Linux 1.5.0 Trustix Secure Linux 1.1.0 Trustix Secure Linux 1.2.0

OpenSSL Project OpenSSL 0.9.8Q cpe:/a:openssl:openssl:0.9.8q NVD OpenSSL Project OpenSSL 1.0.0L cpe:/a:openssl:openssl:1.0.0l NVD OpenSSL Project OpenSSL 0.9.1 c cpe:/a:openssl:openssl:0.9.1c NVD OpenSSL Project OpenSSL 0.9.2 b cpe:/a:openssl:openssl:0.9.2b NVD OpenSSL Project OpenSSL 0.9.3 cpe:/a:openssl:openssl:0.9.3 NVD OpenSSL Project OpenSSL 0.9.4 cpe:/a:openssl:openssl:0.9.4 NVD Linux 3.0.0 OpenBSD OpenBSD 2.6.0

OpenSSL Project OpenSSL 0.9.6 a cpe:/a:openssl:openssl:0.9.6a NVD Connectiva Linux 7.0.0 Frederik Vermeulen QMail tls.patch NetBSD NetBSD 1.5.0 NetBSD NetBSD 1.5.1 NetBSD NetBSD 1.5.2 NetBSD NetBSD 1.5.3 SuSE Linux 7.1.0 SuSE Linux 7.1.0 alpha SuSE Linux 7.1.0 ppc SuSE Linux 7.1.0 sparc SuSE Linux 7.2.0 i386

OpenSSL Project OpenSSL 0.9.6 b cpe:/a:openssl:openssl:0.9.6b NVD Mandriva Linux Mandrake 8.1.0 Mandriva Linux Mandrake 8.1.0 ia64 OpenBSD OpenBSD 3.0 OpenBSD OpenBSD 3.1 Redhat Enterprise Linux AS 2.1 Redhat Enterprise Linux AS 2.1 IA64 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux ES 2.1 IA64 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux WS 2.1 IA64 Redhat Linux 7.2.0 Redhat Linux 7.2.0 i386 Redhat Linux 7.2.0 i686 Redhat Linux 7.2.0 ia64 Redhat Linux 7.3.0 OpenSSL Redhat CVE-2016-2178 Linux 7.3.0 i386 Side Channel Attack Information Disclosure Redhat Vulnerability Linux Advanced Work Station 2.1.0 Sun Linux 5.0.0

Sun Linux 5.0.3 Create Date 6/8/2016 12:54:58 PM GMT Sun Linux 5.0.5 Sun Linux 5.0.6 Sun Linux 5.0.7 SuSE Linux 7.3.0 i386 SuSE Linux 7.3.0 ppc SuSE Linux 7.3.0 sparc SuSE Linux Connectivity Server SuSE Linux Database Server SuSE Linux Firewall on CD SuSE Office Server SuSE SuSE eMail Server III SuSE SUSE Linux Enterprise Server 7 Redhat Linux 7.2.0 ia64 Redhat Linux 7.3.0 Redhat Linux 7.3.0 i386 Redhat Linux Advanced Work Station 2.1.0 Sun Linux 5.0.0 Sun Linux 5.0.3 Sun Linux 5.0.5 Sun Linux 5.0.6 Sun Linux 5.0.7 SuSE Linux 7.3.0 i386 SuSE Linux 7.3.0 ppc SuSE Linux 7.3.0 sparc SuSE Linux Connectivity Server SuSE Linux Database Server SuSE Linux Firewall on CD SuSE Office Server SuSE SuSE eMail Server III SuSE SUSE Linux Enterprise Server 7

OpenSSL Project OpenSSL 0.9.6 c cpe:/a:openssl:openssl:0.9.6c NVD Connectiva Linux 8.0.0 Debian Linux 3.0.0 Debian Linux 3.0.0 alpha Debian Linux 3.0.0 arm Debian Linux 3.0.0 hppa Debian Linux 3.0.0 ia-32 Debian Linux 3.0.0 ia-64 Debian Linux 3.0.0 m68k Debian Linux 3.0.0 mips Debian Linux 3.0.0 mipsel Debian Linux 3.0.0 ppc Debian Linux 3.0.0 s/390 Debian Linux 3.0.0 sparc Mandriva Linux Mandrake 8.2.0 SuSE Linux 8.0.0 SuSE Linux 8.0.0 i386

OpenSSL Project OpenSSL 0.9.6 d cpe:/a:openssl:openssl:0.9.6d NVD Linux 8.1.0

OpenSSL Project OpenSSL 0.9.6 e cpe:/a:openssl:openssl:0.9.6e NVD FreeBSD FreeBSD 4.6.0 FreeBSD FreeBSD 4.6.0 -RELEASE

OpenSSL Project OpenSSL 0.9.6 f cpe:/a:openssl:openssl:0.9.6f NVD OpenSSL Project OpenSSL 0.9.6 g cpe:/a:openssl:openssl:0.9.6g NVD Conectiva Linux Enterprise Edition 1.0.0 FreeBSD FreeBSD 4.7.0 FreeBSD FreeBSD 4.7.0 -RELEASE HP Apache-Based Web Server 1.3.27 .00 HP Apache-Based Web Server 2.0.43 .00 HP Apache-Based Web Server 2.0.43 .04 HP Webmin-Based Admin 1.0.0 .01 Immunix Immunix OS 7+ NetBSD NetBSD 1.6.0 OpenPKG OpenPKG 1.1.0

OpenSSL CVE-2016-2178 Side Channel Attack Information Disclosure Vulnerability

Create Date 6/8/2016 12:54:58 PM GMT

OpenSSL Project OpenSSL 0.9.6 h cpe:/a:openssl:openssl:0.9.6h NVD OpenSSL Project OpenSSL 0.9.6 i cpe:/a:openssl:openssl:0.9.6i NVD HP Apache-Based Web Server 1.3.27 .00 HP Apache-Based Web Server 1.3.27 .01 HP HP-UX Apache-Based Web Server 1.0.0 .01 HP HP-UX Apache-Based Web Server 1.0.0 .02.01 HP HP-UX Apache-Based Web Server 1.0.0 .03.01 HP HP-UX Apache-Based Web Server 1.0.0 .04.01 HP HP-UX Apache-Based Web Server 1.0.0 .05.01 HP HP-UX Apache-Based Web Server 1.0.0 .06.01 HP HP-UX Apache-Based Web Server 1.0.0 .06.02 HP HP-UX Apache-Based Web Server 1.0.0 .07.01 HP HP-UX Apache-Based Web Server 1.0.1 .01 Mandriva Corporate Server 2.1.0 Mandriva Corporate Server 2.1.0 x86_64 Mandriva Linux Mandrake 9.0.0 Mandriva Linux Mandrake 9.1.0 Mandriva Linux Mandrake 9.1.0 ppc SuSE Linux Personal 8.2.0

OpenSSL Project OpenSSL 0.9.6 j cpe:/a:openssl:openssl:0.9.6j NVD OpenSSL Project OpenSSL 0.9.6 k cpe:/a:openssl:openssl:0.9.6k NVD Blue Coat Systems CacheOS CA/SA 4.1.10 Blue Coat Systems Security Gateway OS 2.0.0 Blue Coat Systems Security Gateway OS 2.1.5001 SP1 Blue Coat Systems Security Gateway OS 2.1.9 Blue Coat Systems Security Gateway OS 3.0.0 Blue Coat Systems Security Gateway OS 3.1.0 Slackware Linux 8.1.0

OpenSSL Project OpenSSL 0.9.6 l cpe:/a:openssl:openssl:0.9.6l NVD OpenSSL Project OpenSSL 0.9.6 m cpe:/a:openssl:openssl:0.9.6m NVD OpenSSL Project OpenSSL 0.9.7 cpe:/a:openssl:openssl:0.9.7 NVD Caldera OpenUnix 8.0.0 Caldera UnixWare 7.1.1 Caldera UnixWare 7.1.3 FreeBSD FreeBSD 5.0.0 OpenBSD OpenBSD 3.2 OpenPKG OpenPKG 1.2.0

OpenSSL Project OpenSSL 0.9.7 a cpe:/a:openssl:openssl:0.9.7a NVD Connectiva Linux 9.0.0 OpenPKG OpenPKG Current

OpenSSL Project OpenSSL 0.9.7 b cpe:/a:openssl:openssl:0.9.7b NVD OpenPKG OpenPKG 1.3.0

OpenSSL Project OpenSSL 0.9.7 c cpe:/a:openssl:openssl:0.9.7c NVD OpenPKG OpenPKG 2.0.0 Slackware Linux -current Slackware Linux 9.0.0 Slackware Linux 9.1.0

OpenSSL CVE-2016-2178 Side Channel Attack Information Disclosure Vulnerability

Create Date 6/8/2016 12:54:58 PM GMT OpenSSL Project OpenSSL 0.9.7 d cpe:/a:openssl:openssl:0.9.7d NVD Ubuntu Linux 4.1.0 ia32 Ubuntu Ubuntu Linux 4.1.0 ia64 Ubuntu Ubuntu Linux 4.1.0 ppc

OpenSSL Project OpenSSL 0.9.7 e cpe:/a:openssl:openssl:0.9.7e NVD OpenSSL Project OpenSSL 0.9.7 f cpe:/a:openssl:openssl:0.9.7f NVD OpenSSL Project OpenSSL 0.9.7 g cpe:/a:openssl:openssl:0.9.7g NVD OpenSSL Project OpenSSL 0.9.7 h cpe:/a:openssl:openssl:0.9.7h NVD OpenSSL Project OpenSSL 0.9.7 i cpe:/a:openssl:openssl:0.9.7i NVD OpenSSL Project OpenSSL 0.9.7 j cpe:/a:openssl:openssl:0.9.7j NVD OpenSSL Project OpenSSL 0.9.7 k cpe:/a:openssl:openssl:0.9.7k NVD OpenSSL Project OpenSSL 0.9.7 l cpe:/a:openssl:openssl:0.9.7l NVD OpenSSL Project OpenSSL 0.9.7 m cpe:/a:openssl:openssl:0.9.7m NVD OpenSSL Project OpenSSL 0.9.8 cpe:/a:openssl:openssl:0.9.8 NVD

OpenSSL Project OpenSSL 0.9.8 a cpe:/a:openssl:openssl:0.9.8a NVD OpenSSL Project OpenSSL 0.9.8 b cpe:/a:openssl:openssl:0.9.8b NVD OpenSSL Project OpenSSL 0.9.8 c cpe:/a:openssl:openssl:0.9.8c NVD OpenSSL Project OpenSSL 0.9.8 d cpe:/a:openssl:openssl:0.9.8d NVD OpenSSL Project OpenSSL 0.9.8 e cpe:/a:openssl:openssl:0.9.8e NVD OpenSSL Project OpenSSL 0.9.8 h cpe:/a:openssl:openssl:0.9.8h NVD OpenSSL Project OpenSSL 0.9.8 i cpe:/a:openssl:openssl:0.9.8i NVD Trend Micro HouseCall 7.1

OpenSSL Project OpenSSL 0.9.8 j cpe:/a:openssl:openssl:0.9.8j NVD OpenSSL Project OpenSSL 0.9.8 k cpe:/a:openssl:openssl:0.9.8k NVD OpenSSL Project OpenSSL 0.9.8 f cpe:/a:openssl:openssl:0.9.8f NVD OpenSSL Project OpenSSL 0.9.8. cpe:/a:openssl:2130_ptz_network_camera:0.9.8. SYMC OpenSSL Project OpenSSL 0.9.8f cpe:/a:openssl:openssl:0.9.8f NVD OpenSSL Project OpenSSL 0.9.8g cpe:/a:openssl:openssl:0.9.8g NVD OpenSSL Project OpenSSL 0.9.8l cpe:/a:openssl:openssl:0.9.8l NVD OpenSSL Project OpenSSL 0.9.8m cpe:/a:openssl:2130_ptz_network_camera:0.9.8m SYMC OpenSSL Project OpenSSL 0.9.8n cpe:/a:openssl:2130_ptz_network_camera:0.9.8n SYMC OpenSSL Project OpenSSL 0.9.8o cpe:/a:openssl:2130_ptz_network_camera:0.9.8o SYMC OpenSSL Project OpenSSL 0.9.8R cpe:/a:openssl:2130_ptz_network_camera:0.9::8R SYMC OpenSSL Project OpenSSL 0.9.8s cpe:/a:openssl:2130_ptz_network_camera:0.9::8s SYMC OpenSSL Project OpenSSL 0.9.8t cpe:/a:openssl:2130_ptz_network_camera:0.9.8t SYMC OpenSSL Project OpenSSL 0.9.8w cpe:/a:openssl:2130_ptz_network_camera:0.9.8w SYMC OpenSSL Project OpenSSL 0.9.8x cpe:/a:openssl:2130_ptz_network_camera:0.9.8x SYMC OpenSSL Project OpenSSL 0.9.8y cpe:/a:openssl:2130_ptz_network_camera:0.9::8y SYMC OpenSSL Project OpenSSL 0.9.8zd cpe:/a:openssl:2130_ptz_network_camera:0.9.8zd SYMC OpenSSL Project OpenSSL 0.9.8zf cpe:/a:openssl:2130_ptz_network_camera:0.9.8zf SYMC OpenSSL Project OpenSSL 0.9.8zg cpe:/a:openssl:2130_ptz_network_camera:0.9.8zg SYMC OpenSSL Project OpenSSL 0.9.8zh cpe:/a:openssl:2130_ptz_network_camera:0.9.8zh SYMC OpenSSL Project OpenSSL 0.9.8p cpe:/a:openssl:2130_ptz_network_camera:0.9.8p SYMC OpenSSL Project OpenSSL 0.9.8v cpe:/a:openssl:2130_ptz_network_camera:0.9.8v SYMC OpenSSL Project OpenSSL 0.9.8za cpe:/a:openssl:2130_ptz_network_camera:0.9.8za SYMC OpenSSL Project OpenSSL 0.9.8zb cpe:/a:openssl:2130_ptz_network_camera:0.9.8zb SYMC OpenSSL CVE-2016-2178 Side Channel Attack Information Disclosure Vulnerability

Create Date 6/8/2016 12:54:58 PM GMT OpenSSL Project OpenSSL 0.9.8zc cpe:/a:openssl:2130_ptz_network_camera:0.9.8zc SYMC OpenSSL Project OpenSSL 0.9.8ze cpe:/a:openssl:openssl:0.9.8ze SYMC OpenSSL Project OpenSSL 1.0.0 cpe:/a:openssl:2130_ptz_network_camera:1.0.0 SYMC OpenSSL Project OpenSSL 1.0.0a cpe:/a:openssl:2130_ptz_network_camera:1.0.0a SYMC OpenSSL Project OpenSSL 1.0.0c cpe:/a:openssl:2130_ptz_network_camera:1.0::0c SYMC OpenSSL Project OpenSSL 1.0.0d cpe:/a:openssl:2130_ptz_network_camera:1.0::0d SYMC OpenSSL Project OpenSSL 1.0.0e cpe:/a:openssl:2130_ptz_network_camera:1.0::0e SYMC OpenSSL Project OpenSSL 1.0.0f cpe:/a:openssl:2130_ptz_network_camera:1.0::0f SYMC OpenSSL Project OpenSSL 1.0.0g cpe:/a:openssl:2130_ptz_network_camera:1.0.0g SYMC OpenSSL Project OpenSSL 1.0.0j cpe:/a:openssl:2130_ptz_network_camera:1.0.0j SYMC OpenSSL Project OpenSSL 1.0.0k cpe:/a:openssl:2130_ptz_network_camera:1.0::0k SYMC OpenSSL Project OpenSSL 1.0.0p cpe:/a:openssl:2130_ptz_network_camera:1.0.0p SYMC OpenSSL Project OpenSSL 1.0.0q cpe:/a:openssl:2130_ptz_network_camera:1.0.0q SYMC OpenSSL Project OpenSSL 1.0.0r cpe:/a:openssl:openssl:1.0.0r SYMC OpenSSL Project OpenSSL 1.0.0s cpe:/a:openssl:2130_ptz_network_camera:1.0.0s SYMC OpenSSL Project OpenSSL 1.0.0t cpe:/a:openssl:2130_ptz_network_camera:1.0.0t SYMC OpenSSL Project OpenSSL 1.0.0x cpe:/a:openssl:2130_ptz_network_camera:1.0::0x SYMC OpenSSL Project OpenSSL 1.0.1 cpe:/a:openssl:2130_ptz_network_camera:1.0.1 SYMC OpenSSL Project OpenSSL 1.0.11 cpe:/a:openssl:openssl:1.0.11 SYMC OpenSSL Project OpenSSL 1.0.1c cpe:/a:openssl:2130_ptz_network_camera:1.0.1c SYMC OpenSSL Project OpenSSL 1.0.1d cpe:/a:openssl:2130_ptz_network_camera:1.0::1d SYMC OpenSSL Project OpenSSL 1.0.1g cpe:/a:openssl:2130_ptz_network_camera:1.0.1g SYMC OpenSSL Project OpenSSL 1.0.1h cpe:/a:openssl:2130_ptz_network_camera:1.0.1h SYMC OpenSSL Project OpenSSL 1.0.1j cpe:/a:openssl:2130_ptz_network_camera:1.0.1j SYMC OpenSSL Project OpenSSL 1.0.1k cpe:/a:openssl:openssl:1.0.1k SYMC OpenSSL Project OpenSSL 1.0.1l cpe:/a:openssl:2130_ptz_network_camera:1.0.1l SYMC OpenSSL Project OpenSSL 1.0.1m cpe:/a:openssl:2130_ptz_network_camera:1.0.1m SYMC OpenSSL Project OpenSSL 1.0.1n cpe:/a:openssl:2130_ptz_network_camera:1.0.1n SYMC OpenSSL Project OpenSSL 1.0.1o cpe:/a:openssl:2130_ptz_network_camera:1.0.1o SYMC OpenSSL Project OpenSSL 1.0.1p cpe:/a:openssl:2130_ptz_network_camera:1.0.1p SYMC OpenSSL Project OpenSSL 1.0.1q cpe:/a:openssl:2130_ptz_network_camera:1.0.1q SYMC OpenSSL Project OpenSSL 1.0.1r cpe:/a:openssl:2130_ptz_network_camera:1.0.1r SYMC OpenSSL Project OpenSSL 1.0.1s cpe:/a:openssl:2130_ptz_network_camera:1.0.1s SYMC OpenSSL Project OpenSSL 1.0.2 cpe:/a:openssl:openssl:1.0.0 NVD OpenSSL Project OpenSSL 1.0.2a cpe:/a:openssl:openssl:1.0.2a SYMC OpenSSL Project OpenSSL 1.0.2b cpe:/a:openssl:2130_ptz_network_camera:1.0.2b SYMC OpenSSL Project OpenSSL 1.0.2c cpe:/a:openssl:2130_ptz_network_camera:1.0.2c SYMC OpenSSL Project OpenSSL 1.0.2d cpe:/a:openssl:2130_ptz_network_camera:1.0.2d SYMC OpenSSL Project OpenSSL 1.0.2e cpe:/a:openssl:2130_ptz_network_camera:1.0.2e SYMC OpenSSL Project OpenSSL 1.0.2f cpe:/a:openssl:2130_ptz_network_camera:1.0.2f SYMC OpenSSL Project OpenSSL 1.0.2g cpe:/a:openssl:2130_ptz_network_camera:1.0.2g SYMC OpenSSL Project OpenSSL 1.0.0b cpe:/a:openssl:2130_ptz_network_camera:1.0.0B SYMC OpenSSL Project OpenSSL 1.0.0i cpe:/a:openssl:2130_ptz_network_camera:1.0.0i SYMC OpenSSL Project OpenSSL 1.0.0m cpe:/a:openssl:openssl:1.0.0m NVD OpenSSL Project OpenSSL 1.0.0n cpe:/a::2130_ptz_network_camera:1.0.0n SYMC OpenSSL Project OpenSSL 1.0.0o cpe:/a:openssl:2130_ptz_network_camera:1.0.0o SYMC OpenSSL Project OpenSSL 1.0.1a cpe:/a:openssl:2130_ptz_network_camera:1.0.1a SYMC OpenSSL Project OpenSSL 1.0.1b cpe:/a:openssl:openssl:1.0.1b NVD OpenSSL Project OpenSSL 1.0.1e cpe:/a:openssl:2130_ptz_network_camera:1.0.1e SYMC OpenSSL CVE-2016-2178 Side Channel Attack Information Disclosure Vulnerability

Create Date 6/8/2016 12:54:58 PM GMT OpenSSL Project OpenSSL 1.0.1f cpe:/a:openssl:2130_ptz_network_camera:1.0.1f SYMC OpenSSL Project OpenSSL 1.0.1i cpe:/a:openssl:2130_ptz_network_camera:1.0.1i SYMC OpenSSL Project OpenSSL 1.0.1t cpe:/a:openssl:openssl:1.0.1t SYMC OpenSSL Project OpenSSL 1.0.2h cpe:/a:openssl:openssl:1.0.2h SYMC OpenSSL Project OpenSSL 0.9.8u cpe:/a:openssl:openssl_0.9.8u SYMC OpenSSL Project OpenSSL 1.0.0h cpe:/a:openssl:openssl_1.0.0h SYMC

Short Summary

OpenSSL is prone to an information-disclosure vulnerability; fixes are available.

Impact

Remote attackers can perform man-in-the-middle attacks to gain access to sensitive information. This may aid in further attacks.

Technical Description

OpenSSL is an open-source implementation of the SSL protocol that is used by a number of other projects, including, but not limited to Apache, Sendmail, and Bind. It is commonly found on Linux and systems.

OpenSSL is prone to an information-disclosure vulnerability because it fails to properly implement operations in the 'DSA' signing algorithm. Specifically, the issue affects the 'DSA' implementation. An attacker can exploit this issue to perform side-channel attacks and obtain the private 'DSA' key.

Remote attackers can perform man-in-the-middle attacks to gain access to sensitive information. This may aid in further attacks.

Attack Scenarios

1. An attacker locates a vulnerable application.

2. The attacker performs a man-in-the-middle attack and waits for data to be transmitted between the client and a server.

3. The attacker intercepts the traffic and uses it to obtain sensitive information.

Exploits Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Mitigating Strategies Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits.

Implement multiple redundant layers of security. Use of multiple redundant layers of encryption may reduce exposure to this and other latent vulnerabilities.

Solutions Updates are available. Please see the references or vendor advisory for more information.

OpenSSL CVE-2016-2178 Side Channel Attack Information Disclosure Vulnerability

Create Date 6/8/2016 12:54:58 PM GMT

Credit

Cesar Pereida

References Advisory:"Make Sure DSA Signing Exponentiations Really are Constant-Time'' eprint http://eprint.iacr.org/2016/594

https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2

Web Page:OpenSSL Homepage OpenSSL http://openssl.org/

Change Log 2016.06.08: Initial analysis.

URL

https://alerts.symantec.com/loaddocument.aspx?GUID=1ac6601d-206d-4729-9496-f6d48441e46b

OpenSSL CVE-2016-2178 Side Channel Attack Information Disclosure Vulnerability

Create Date 6/8/2016 12:54:58 PM GMT