Vulnerability Details : CVE-2018-0732
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o).
Vulnerability category: Denial of service
Products affected by CVE-2018-0732
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-0732
81.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 99 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-0732
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-0732
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-0732
-
https://security.netapp.com/advisory/ntap-20190118-0002/
January 2019 MySQL Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://usn.ubuntu.com/3692-2/
USN-3692-2: OpenSSL vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.tenable.com/security/tns-2018-14
[R1] Nessus 8.0.0 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/
[SECURITY] Fedora 30 Update: compat-openssl10-1.0.2o-7.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/07/msg00043.html
[SECURITY] [DLA 1449-1] openssl security updateThird Party Advisory
-
https://usn.ubuntu.com/3692-1/
USN-3692-1: OpenSSL vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/
[SECURITY] Fedora 31 Update: compat-openssl10-1.0.2o-8.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2552
RHSA-2018:2552 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018Patch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1297
RHSA-2019:1297 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Third Party Advisory
-
https://www.tenable.com/security/tns-2018-17
[R1] Nessus 7.1.4 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OraclePatch;Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Oracle Critical Patch Update - July 2019Patch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/
[SECURITY] Fedora 29 Update: compat-openssl10-1.0.2o-7.fc29 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3505
RHSA-2018:3505 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
August 2018 Security Releases | Node.jsVendor Advisory
-
https://www.tenable.com/security/tns-2018-13
[R1] LCE 5.1.1 Fixes Multiple Third-party Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://security.gentoo.org/glsa/201811-03
OpenSSL: Denial of Service (GLSA 201811-03) — Gentoo securityThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20181105-0001/
CVE-2018-0732 OpenSSL Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1296
RHSA-2019:1296 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securitytracker.com/id/1041090
OpenSSL DH Parameter Processing Lets Remote Servers Deny Service on Connected Clients - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019Patch;Third Party Advisory
-
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3984ef0b72831da8b3ece4745cac4f8575b19098
git.openssl.org Git - openssl.git/commitdiffPatch;Third Party Advisory
-
https://securityadvisories.paloaltonetworks.com/Home/Detail/133
Third Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Oracle Critical Patch Update - January 2019Patch;Third Party Advisory
-
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ea7abeeabf92b7aca160bdd0208636d4da69f4f4
git.openssl.org Git - openssl.git/commitdiffPatch;Third Party Advisory
-
http://www.securityfocus.com/bid/104442
OpenSSL CVE-2018-0732 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
https://cert-portal.siemens.com/productcert/pdf/ssa-419820.pdf
Third Party Advisory
-
https://www.openssl.org/news/secadv/20180612.txt
Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2553
RHSA-2018:2553 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4348
Debian -- Security Information -- DSA-4348-1 opensslThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3221
RHSA-2018:3221 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1543
RHSA-2019:1543 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.tenable.com/security/tns-2018-12
[R1] SecurityCenter 5.7.1 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable®Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4355
Debian -- Security Information -- DSA-4355-1 openssl1.0Third Party Advisory
Jump to