Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
CVE-2018-0733 - Medium Severity Vulnerability
Vulnerable Library - opensslOpenSSL_1_1_0g
Akamai fork of openssl master.
Library home page: https://github.com/akamai/openssl.git
Found in HEAD commit: 1fd1c91be1f09deb72b2b5349f8e936a378411b8
Found in base branch: master
Vulnerable Source Files (2)
/crypto/pariscid.pl /crypto/pariscid.pl
Vulnerability Details
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
Publish Date: 2018-03-27
URL: CVE-2018-0733
CVSS 3 Score Details (5.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0733
Release Date: 2018-03-27
Fix Resolution: OpenSSL_1_1_0h
Step up your Open Source Security Game with Mend here