CVE-2017-3737

{"id": "CVE-2017-3737", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2017-12-07T16:29:00.193", "references": [{"url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", "source": "openssl-security@openssl.org"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", "source": "openssl-security@openssl.org"}, {"url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", "source": "openssl-security@openssl.org"}, {"url": "http://www.securityfocus.com/bid/102103", "tags": ["Third Party Advisory", "VDB Entry"], "source": "openssl-security@openssl.org"}, {"url": "http://www.securitytracker.com/id/1039978", "tags": ["Third Party Advisory", "VDB Entry"], "source": "openssl-security@openssl.org"}, {"url": "https://access.redhat.com/errata/RHSA-2018:0998", "source": "openssl-security@openssl.org"}, {"url": "https://access.redhat.com/errata/RHSA-2018:2185", "source": "openssl-security@openssl.org"}, {"url": "https://access.redhat.com/errata/RHSA-2018:2186", "source": "openssl-security@openssl.org"}, {"url": "https://access.redhat.com/errata/RHSA-2018:2187", "source": "openssl-security@openssl.org"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-179516.pdf", "source": "openssl-security@openssl.org"}, {"url": "https://github.com/openssl/openssl/commit/898fb884b706aaeb283de4812340bb0bde8476dc", "source": "openssl-security@openssl.org"}, {"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:12.openssl.asc", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://security.gentoo.org/glsa/201712-03", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://security.netapp.com/advisory/ntap-20171208-0001/", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://security.netapp.com/advisory/ntap-20180117-0002/", "source": "openssl-security@openssl.org"}, {"url": "https://security.netapp.com/advisory/ntap-20180419-0002/", "source": "openssl-security@openssl.org"}, {"url": "https://www.debian.org/security/2017/dsa-4065", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.digitalmunition.me/2017/12/cve-2017-3737-openssl-security-bypass-vulnerability/", "tags": ["Third Party Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.openssl.org/news/secadv/20171207.txt", "tags": ["Vendor Advisory"], "source": "openssl-security@openssl.org"}, {"url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "source": "openssl-security@openssl.org"}, {"url": "https://www.tenable.com/security/tns-2017-16", "source": "openssl-security@openssl.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}, {"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an \"error state\" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected."}, {"lang": "es", "value": "OpenSSL 1.0.2 (comenzando desde la versi\u00f3n 1.0.2b) introdujo un mecanismo de \"error state\" (estado de error). La intenci\u00f3n era que, si ocurr\u00eda un error fatal durante una negociaci\u00f3n, OpenSSL entrar\u00eda en el estado de error y fallar\u00eda autom\u00e1ticamente si se intentase continuar la negociaci\u00f3n. Esto funciona tal y como se ha dise\u00f1ado para las funciones de negociaci\u00f3n expl\u00edcitas (SSL_do_handshake(), SSL_accept() y SSL_connect()); sin embargo, debido a un error, no funciona correctamente si se llama directamente a SSL_read() o a SSL_write(). En ese caso, si la negociaci\u00f3n fracasa, se devolver\u00e1 un error fatal en la llamada de funci\u00f3n inicial. Si, posteriormente, la aplicaci\u00f3n llama a SSL_read()/SSL_write() para el mismo objeto SSL, tendr\u00e1 \u00e9xito y los datos se pasar\u00e1n sin cifrarse/descifrarse directamente desde la capa de registro SSL/TLS. Para explotar esta vulnerabilidad, deber\u00eda existir un error de aplicaci\u00f3n que resulte en una llamada a SSL_read()/SSL_write() que se realiza una vez ya se ha recibido un error fatal. Las versiones 1.0.2b-1.0.2m de OpenSSL se han visto afectadas. Se ha solucionado en OpenSSL 1.0.2n. OpenSSL 1.1.0 no se ha visto afectada."}], "lastModified": "2019-10-03T00:03:26.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4847BCF3-EFCE-41AF-8E7D-3D51EB9DCC5B"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B89180B-FB68-4DD8-B076-16E51CC7FB91"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4C986592-4086-4A39-9767-EF34DBAA6A53"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2e:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7B23181C-03DB-4E92-B3F6-6B585B5231B4"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2f:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94D9EC1C-4843-4026-9B05-E060E9391734"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2g:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B066401C-21CF-4BE9-9C55-C9F1E0C7BE3F"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2h:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "036FB24F-7D86-4730-8BC9-722875BEC807"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2i:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FDF148A3-1AA7-4F27-85AB-414C609C626F"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2j:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E15B749E-6808-4788-AE42-7A1587D8697E"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2k:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "58F80C8D-BCA2-40AD-BD22-B70C7BE1B298"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2l:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "70B78EDF-6BB7-42C4-9423-9332C62C6E43"}, {"criteria": "cpe:2.3:a:openssl:openssl:1.0.2m:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E2354F82-A01B-43D2-84F4-4E94B258E091"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252"}], "operator": "OR"}]}], "sourceIdentifier": "openssl-security@openssl.org"}