CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2016-7440
https://notcve.org/view.php?id=CVE-2016-7440
The C software implementation of AES Encryption and Decryption in wolfSSL (formerly CyaSSL) before 3.9.10 makes it easier for local users to discover AES keys by leveraging cache-bank timing differences. La implementación de software C de AES Encryption and Decryption en wolfSSL (anterioremtne CyaSSL) en versiones anteriores a 3.9.10 hace más fácil para usuarios locales descubrir las claves AES aprovechando las diferencias de tiempo de banco del cachè. • http://www.debian.org/security/2016/dsa-3706 http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.securityfocus.com/bid/93659 http://www.securitytracker.com/id/1037050 https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes https://wolfssl.com/wolfSSL/Blog/Entries/2016/9/26_wolfSSL_3.9.10_Vulnerability_Fixes.html •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2015-6925
https://notcve.org/view.php?id=CVE-2015-6925
wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or traffic amplification) via a crafted DTLS cookie in a ClientHello message. wolfSSL (anteriormente CyaSSL) en versiones anteriores a 3.6.8 permite a atacantes remotos provocar una denegación de servicio (consumo de recurso o amplificación de tráfico) a través de una cookie DTLS manipulada en un mensaje ClientHello. • http://wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html https://github.com/IAIK/wolfSSL-DoS https://wolfssl.com/wolfSSL/Blog/Entries/2015/9/17_Two_Vulnerabilities_Recently_Found%2C_An_Attack_on_RSA_using_CRT_and_DoS_Vulnerability_With_DTLS.html • CWE-399: Resource Management Errors •
CVSS: 5.9EPSS: 0%CPEs: 7EXPL: 2CVE-2015-7744
https://notcve.org/view.php?id=CVE-2015-7744
wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, aka a Lenstra attack. wolfSSL (anteriormente CyaSSL) en versiones anteriores a 3.6.8 no maneja correctamente fallos asociados con el proceso Chinese Remainder Theorem (CRT) cuando permiten el intercambio de claves efímeras sin optimizaciones de memoria baja en un servidor, lo que hace que sea más fácil para atacantes remotos obtener claves privadas RSA mediante la captura de un apretón de manos TLS, también conocido como un ataque Lenstra. • http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00015.html http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00016.html http://wolfssl.com/wolfSSL/Docs-wolfssl-changelog.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html http://www.securitytracker.com/id/1034708 https://people.redhat.com/~fweimer/rsa-crt-leaks.pdf https://securityblog.redhat.com/2015/09/02/factori •