CVE-2016-2107

OpenSSL - Padding Oracle in AES-NI CBC MAC Check

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.

La implementación de AES-NI en OpenSSL en versiones anteriores a 1.0.1t y 1.0.2 en versiones anteriores a 1.0.2h no considera la asignación de memoria durante una comprobación de relleno determinada, lo que permite a atacantes remotos obtener información de texto claro sensible a través de un ataque de padding-oracle contra una sesión AES CBC . NOTA: esta vulnerabilidad existe debido a una corrección incorrecta para CVE-2013-0169.

It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by using a TLS/SSL or DTLS server as a padding oracle.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-01-29 CVE Reserved
2016-05-03 CVE Published
2016-05-13 First Exploit
2024-08-05 CVE Updated
2024-08-12 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-310: Cryptographic Issues

CAPEC

References (60)

URL	Tag	Source
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759	Third Party Advisory
http://packetstormsecurity.com/files/136912/Slackware-Security-Advisory-openssl-Updates.html	Third Party Advisory
http://source.android.com/security/bulletin/2016-07-01.html	Third Party Advisory
http://support.citrix.com/article/CTX212736	Third Party Advisory
http://web-in-security.blogspot.ca/2016/05/curious-padding-oracle-in-openssl-cve.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html	Third Party Advisory
http://www.securityfocus.com/bid/89760	Third Party Advisory
http://www.securityfocus.com/bid/91787	Third Party Advisory
http://www.securitytracker.com/id/1035721	Third Party Advisory
https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites	Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf	Third Party Advisory
https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=68595c0c2886e7942a14f98c17a55a88afb6c292	Broken Link
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03726en_us	Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_us	Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03756en_us	Third Party Advisory
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03765en_us	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05164862	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05320149	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05386804	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722	Third Party Advisory
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40202	Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10160	Third Party Advisory
https://security.netapp.com/advisory/ntap-20160504-0001	Third Party Advisory
https://support.apple.com/HT206903	Third Party Advisory
https://www.tenable.com/security/tns-2016-18	Third Party Advisory

URL	Date	SRC
https://www.exploit-db.com/exploits/39768	2024-08-05
https://github.com/FiloSottile/CVE-2016-2107	2016-05-13

URL	Date	SRC
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	2024-02-16
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html	2024-02-16
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html	2024-02-16
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	2024-02-16
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html	2024-02-16
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html	2024-02-16
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html	2024-02-16

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html	2024-02-16
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183457.html	2024-02-16
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183607.html	2024-02-16
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184605.html	2024-02-16
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00001.html	2024-02-16
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00008.html	2024-02-16
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00011.html	2024-02-16
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00013.html	2024-02-16
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00014.html	2024-02-16
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00016.html	2024-02-16
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00019.html	2024-02-16
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00019.html	2024-02-16
http://rhn.redhat.com/errata/RHSA-2016-0722.html	2024-02-16
http://rhn.redhat.com/errata/RHSA-2016-0996.html	2024-02-16
http://rhn.redhat.com/errata/RHSA-2016-2073.html	2024-02-16
http://rhn.redhat.com/errata/RHSA-2016-2957.html	2024-02-16
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160504-openssl	2024-02-16
http://www.debian.org/security/2016/dsa-3566	2024-02-16
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.542103	2024-02-16
http://www.ubuntu.com/usn/USN-2959-1	2024-02-16
https://security.gentoo.org/glsa/201612-16	2024-02-16
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:17.openssl.asc	2024-02-16
https://www.openssl.org/news/secadv/20160503.txt	2024-02-16
https://access.redhat.com/security/cve/CVE-2016-2107	2016-12-15
https://bugzilla.redhat.com/show_bug.cgi?id=1331426	2016-12-15

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				7.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Hpc Node Search vendor "Redhat" for product "Enterprise Linux Hpc Node"				7.0 Search vendor "Redhat" for product "Enterprise Linux Hpc Node" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Hpc Node Eus Search vendor "Redhat" for product "Enterprise Linux Hpc Node Eus"				7.2 Search vendor "Redhat" for product "Enterprise Linux Hpc Node Eus" and version "7.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Aus Search vendor "Redhat" for product "Enterprise Linux Server Aus"				7.2 Search vendor "Redhat" for product "Enterprise Linux Server Aus" and version "7.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Eus Search vendor "Redhat" for product "Enterprise Linux Server Eus"				7.2 Search vendor "Redhat" for product "Enterprise Linux Server Eus" and version "7.2"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				42.1 Search vendor "Opensuse" for product "Leap" and version "42.1"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				13.2 Search vendor "Opensuse" for product "Opensuse" and version "13.2"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				<= 1.0.1s Search vendor "Openssl" for product "Openssl" and version " <= 1.0.1s"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2 Search vendor "Openssl" for product "Openssl" and version "1.0.2"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2 Search vendor "Openssl" for product "Openssl" and version "1.0.2"		beta1		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2 Search vendor "Openssl" for product "Openssl" and version "1.0.2"		beta2		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2 Search vendor "Openssl" for product "Openssl" and version "1.0.2"		beta3		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2a Search vendor "Openssl" for product "Openssl" and version "1.0.2a"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2b Search vendor "Openssl" for product "Openssl" and version "1.0.2b"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2c Search vendor "Openssl" for product "Openssl" and version "1.0.2c"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2d Search vendor "Openssl" for product "Openssl" and version "1.0.2d"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2e Search vendor "Openssl" for product "Openssl" and version "1.0.2e"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2f Search vendor "Openssl" for product "Openssl" and version "1.0.2f"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				1.0.2g Search vendor "Openssl" for product "Openssl" and version "1.0.2g"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.0 Search vendor "Google" for product "Android" and version "4.0"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.0.1 Search vendor "Google" for product "Android" and version "4.0.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.0.2 Search vendor "Google" for product "Android" and version "4.0.2"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.0.3 Search vendor "Google" for product "Android" and version "4.0.3"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.0.4 Search vendor "Google" for product "Android" and version "4.0.4"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.1 Search vendor "Google" for product "Android" and version "4.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.1.2 Search vendor "Google" for product "Android" and version "4.1.2"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.2 Search vendor "Google" for product "Android" and version "4.2"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.2.1 Search vendor "Google" for product "Android" and version "4.2.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.2.2 Search vendor "Google" for product "Android" and version "4.2.2"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.3 Search vendor "Google" for product "Android" and version "4.3"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.3.1 Search vendor "Google" for product "Android" and version "4.3.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.4 Search vendor "Google" for product "Android" and version "4.4"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.4.1 Search vendor "Google" for product "Android" and version "4.4.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.4.2 Search vendor "Google" for product "Android" and version "4.4.2"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.4.3 Search vendor "Google" for product "Android" and version "4.4.3"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				5.0 Search vendor "Google" for product "Android" and version "5.0"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				5.0.1 Search vendor "Google" for product "Android" and version "5.0.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				5.1 Search vendor "Google" for product "Android" and version "5.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				5.1.0 Search vendor "Google" for product "Android" and version "5.1.0"		-		Affected
Hp Search vendor "Hp"		Helion Openstack Search vendor "Hp" for product "Helion Openstack"				2.0.0 Search vendor "Hp" for product "Helion Openstack" and version "2.0.0"		-		Affected
Hp Search vendor "Hp"		Helion Openstack Search vendor "Hp" for product "Helion Openstack"				2.1.0 Search vendor "Hp" for product "Helion Openstack" and version "2.1.0"		-		Affected
Hp Search vendor "Hp"		Helion Openstack Search vendor "Hp" for product "Helion Openstack"				2.1.2 Search vendor "Hp" for product "Helion Openstack" and version "2.1.2"		-		Affected
Hp Search vendor "Hp"		Helion Openstack Search vendor "Hp" for product "Helion Openstack"				2.1.4 Search vendor "Hp" for product "Helion Openstack" and version "2.1.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Desktop Search vendor "Redhat" for product "Enterprise Linux Desktop"				6.0 Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Hpc Node Search vendor "Redhat" for product "Enterprise Linux Hpc Node"				6.0 Search vendor "Redhat" for product "Enterprise Linux Hpc Node" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				6.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "6.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				6.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "6.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 0.10.0 < 0.10.45 Search vendor "Nodejs" for product "Node.js" and version " >= 0.10.0 < 0.10.45"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 0.12.0 < 0.12.14 Search vendor "Nodejs" for product "Node.js" and version " >= 0.12.0 < 0.12.14"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 4.0.0 <= 4.1.2 Search vendor "Nodejs" for product "Node.js" and version " >= 4.0.0 <= 4.1.2"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 4.2.0 < 4.4.4 Search vendor "Nodejs" for product "Node.js" and version " >= 4.2.0 < 4.4.4"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 5.0.0 < 5.11.1 Search vendor "Nodejs" for product "Node.js" and version " >= 5.0.0 < 5.11.1"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				6.0.0 Search vendor "Nodejs" for product "Node.js" and version "6.0.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				15.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "15.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		esm		Affected