// For flags

CVE-2016-7055

openssl: Carry propagating bug in Montgomery multiplication

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.

Existe un error de propagación de acarreo en el procedimiento de multiplicación Montgomery Broadwell-specific en OpenSSL 1.0.2 y 1.1.0 en versiones anteriores a la 1.1.0c, que maneja longitudes de entrada divisibles por, pero más largas que 256 bits. El análisis sugiere que los ataques contra las claves privadas RSA, DSA y DH son imposibles. Esto se debe a que dicha subrutina no se utiliza en operaciones con la clave privada y una entrada elegida directamente por el atacante. En caso contrario, el error puede manifestarse como una autenticación transitoria o con errores en la negociación de claves o en un resultado erróneo reproducible en operaciones de clave pública a través de una entrada especialmente diseñada. Entre los algoritmos de Curva Eliptica solo los Brainpool P-512 están afectados y presumiblemente puede atacarse la negociación de claves ECDH. El impacto no se analizó en detalle, ya que los requisitos previos para el ataque se consideran improbables. Notese que varios clientes tienen que elegir la curva en cuestión y el servidor tiene que compartir la clave privada entre ellos, lo que no es un comportamiento por defecto en ningún caso. Incluso en esa situación, sólo los clientes que eligieron la curva se verán afectados.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-08-23 CVE Reserved
  • 2016-11-10 CVE Published
  • 2024-08-06 CVE Updated
  • 2024-10-14 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-682: Incorrect Calculation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
>= 1.0.2 < 1.0.2k
Search vendor "Openssl" for product "Openssl" and version " >= 1.0.2 < 1.0.2k"
-
Affected
Openssl
Search vendor "Openssl"
Openssl
Search vendor "Openssl" for product "Openssl"
>= 1.1.0 < 1.1.0c
Search vendor "Openssl" for product "Openssl" and version " >= 1.1.0 < 1.1.0c"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 4.0.0 <= 4.1.2
Search vendor "Nodejs" for product "Node.js" and version " >= 4.0.0 <= 4.1.2"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 4.2.0 < 4.7.3
Search vendor "Nodejs" for product "Node.js" and version " >= 4.2.0 < 4.7.3"
lts
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 6.0.0 <= 6.8.1
Search vendor "Nodejs" for product "Node.js" and version " >= 6.0.0 <= 6.8.1"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 6.9.0 < 6.9.5
Search vendor "Nodejs" for product "Node.js" and version " >= 6.9.0 < 6.9.5"
lts
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 7.0.0 < 7.5.0
Search vendor "Nodejs" for product "Node.js" and version " >= 7.0.0 < 7.5.0"
-
Affected