// For flags

CVE-2014-3570

openssl: Bignum squaring may produce incorrect results

Severity Score

3.7
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The BN_sqr implementation in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k does not properly calculate the square of a BIGNUM value, which might make it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, related to crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, and crypto/bn/bn_asm.c.

La implementación BN_sqr en OpenSSL anterior a 0.9.8zd, 1.0.0 anterior a 1.0.0p, y 1.0.1 anterior a 1.0.1k no calcula correctamente el cuadrado de un valor BIGNUM, lo que podría facilitar a atacantes remotos superar los mecanismos de protección criptográficos a través de vectores no especificados, relacionado con crypto/bn/asm/mips.pl, crypto/bn/asm/x86_64-gcc.c, y crypto/bn/bn_asm.c.

It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-05-14 CVE Reserved
  • 2015-01-09 CVE Published
  • 2023-11-07 First Exploit
  • 2024-08-06 CVE Updated
  • 2024-08-21 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-310: Cryptographic Issues
CAPEC
References (44)
URL Tag Source
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10679 X_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html X_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html X_refsource_confirm
http://www.securityfocus.com/bid/71939 Vdb Entry
http://www.securitytracker.com/id/1033378 Vdb Entry
https://bto.bluecoat.com/security-advisory/sa88 X_refsource_confirm
https://github.com/openssl/openssl/commit/a7a44ba55cb4f884c6bc9ceac90072dea38e66d0 X_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10102 X_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10108 X_refsource_confirm
https://support.apple.com/HT204659 X_refsource_confirm
https://support.citrix.com/article/CTX216642 X_refsource_confirm
URL Date SRC
https://github.com/uthrasri/CVE-2014-3570 2023-11-07
URL Date SRC
URL Date SRC
http://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html 2017-11-15
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/147938.html 2017-11-15
http://lists.fedoraproject.org/pipermail/package-announce/2015-January/148363.html 2017-11-15
http://lists.opensuse.org/opensuse-security-announce/2015-01/msg00021.html 2017-11-15
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html 2017-11-15
http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.html 2017-11-15
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00037.html 2017-11-15
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html 2017-11-15
http://marc.info/?l=bugtraq&m=142496179803395&w=2 2017-11-15
http://marc.info/?l=bugtraq&m=142496289803847&w=2 2017-11-15
http://marc.info/?l=bugtraq&m=142720981827617&w=2 2017-11-15
http://marc.info/?l=bugtraq&m=142721102728110&w=2 2017-11-15
http://marc.info/?l=bugtraq&m=142895206924048&w=2 2017-11-15
http://marc.info/?l=bugtraq&m=143748090628601&w=2 2017-11-15
http://marc.info/?l=bugtraq&m=144050155601375&w=2 2017-11-15
http://marc.info/?l=bugtraq&m=144050205101530&w=2 2017-11-15
http://marc.info/?l=bugtraq&m=144050254401665&w=2 2017-11-15
http://marc.info/?l=bugtraq&m=144050297101809&w=2 2017-11-15
http://rhn.redhat.com/errata/RHSA-2015-0066.html 2017-11-15
http://rhn.redhat.com/errata/RHSA-2015-0849.html 2017-11-15
http://rhn.redhat.com/errata/RHSA-2016-1650.html 2017-11-15
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150310-ssl 2017-11-15
http://www.debian.org/security/2015/dsa-3125 2017-11-15
http://www.mandriva.com/security/advisories?name=MDVSA-2015:019 2017-11-15
http://www.mandriva.com/security/advisories?name=MDVSA-2015:062 2017-11-15
https://www.openssl.org/news/secadv_20150108.txt 2017-11-15
https://access.redhat.com/security/cve/CVE-2014-3570 2016-08-22
https://bugzilla.redhat.com/show_bug.cgi?id=1180240 2016-08-22
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 <= 0.9.8zc
Search vendor "Openssl" for product "Openssl" and version " <= 0.9.8zc"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0a
Search vendor "Openssl" for product "Openssl" and version "1.0.0a"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0b
Search vendor "Openssl" for product "Openssl" and version "1.0.0b"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0c
Search vendor "Openssl" for product "Openssl" and version "1.0.0c"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0d
Search vendor "Openssl" for product "Openssl" and version "1.0.0d"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0e
Search vendor "Openssl" for product "Openssl" and version "1.0.0e"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0f
Search vendor "Openssl" for product "Openssl" and version "1.0.0f"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0g
Search vendor "Openssl" for product "Openssl" and version "1.0.0g"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0h
Search vendor "Openssl" for product "Openssl" and version "1.0.0h"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0i
Search vendor "Openssl" for product "Openssl" and version "1.0.0i"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0j
Search vendor "Openssl" for product "Openssl" and version "1.0.0j"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0k
Search vendor "Openssl" for product "Openssl" and version "1.0.0k"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0l
Search vendor "Openssl" for product "Openssl" and version "1.0.0l"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0m
Search vendor "Openssl" for product "Openssl" and version "1.0.0m"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0n
Search vendor "Openssl" for product "Openssl" and version "1.0.0n"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.0o
Search vendor "Openssl" for product "Openssl" and version "1.0.0o"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1a
Search vendor "Openssl" for product "Openssl" and version "1.0.1a"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1b
Search vendor "Openssl" for product "Openssl" and version "1.0.1b"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1c
Search vendor "Openssl" for product "Openssl" and version "1.0.1c"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1d
Search vendor "Openssl" for product "Openssl" and version "1.0.1d"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1e
Search vendor "Openssl" for product "Openssl" and version "1.0.1e"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1f
Search vendor "Openssl" for product "Openssl" and version "1.0.1f"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1g
Search vendor "Openssl" for product "Openssl" and version "1.0.1g"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1h
Search vendor "Openssl" for product "Openssl" and version "1.0.1h"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1i
Search vendor "Openssl" for product "Openssl" and version "1.0.1i"
-
Affected
Openssl
Search vendor "Openssl"
 Openssl
Search vendor "Openssl" for product "Openssl"
 1.0.1j
Search vendor "Openssl" for product "Openssl" and version "1.0.1j"
-
Affected