CVE-2020-1968 (Low) detected in opensslOpenSSL_1_0_2

[mend-bolt-for-github[bot]]

CVE-2020-1968 - Low Severity Vulnerability

Vulnerable Library - opensslOpenSSL_1_0_2

TLS/SSL and crypto library

Library home page: https://github.com/openssl/openssl.git

Found in HEAD commit: 324810317981b91bee177f96efc4d7b59e34525c

Found in base branch: master

Vulnerable Source Files (1)

/ssl/ssl_ciph.c

Vulnerability Details

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).

Publish Date: 2020-09-09

URL: CVE-2020-1968

CVSS 3 Score Details (3.7)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openssl.org/news/secadv/20200909.txt

Release Date: 2020-09-09

Fix Resolution: 1.0.2w

---

Step up your Open Source Security Game with Mend here