Vulnerability Details : CVE-2020-1968

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).

Published 2020-09-09 14:15:13

Updated 2022-11-21 19:48:16

Source OpenSSL Software Foundation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2020-1968

Probability of exploitation activity in the next 30 days: 0.37%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 70 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2020-1968

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
3.7	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N	2.2	1.4	nvd@nist.gov
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2020-1968

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2020-1968

https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/4504-1/

USN-4504-1: OpenSSL vulnerabilities | Ubuntu security notices | Ubuntu
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2021.html

Oracle Critical Patch Update Advisory - January 2021
Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuApr2021.html

Oracle Critical Patch Update Advisory - April 2021
Patch;Third Party Advisory

CVEs referencing this url
https://www.openssl.org/news/secadv/20200909.txt

Vendor Advisory
https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html

[SECURITY] [DLA 2378-1] openssl1.0 security update
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20200911-0004/

CVE-2020-1968 OpenSSL Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://security.gentoo.org/glsa/202210-02

OpenSSL: Multiple Vulnerabilities (GLSA 202210-02) — Gentoo security
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2020-1968

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.56
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.57
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
Matching versions
Oracle » Peoplesoft Enterprise Peopletools » Version: 8.58
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
Matching versions
Oracle » Jd Edwards World Security » Version: A9.4
cpe:2.3:a:oracle:jd_edwards_world_security:a9.4:*:*:*:*:*:*:*
Matching versions
Oracle » Ethernet Switch Es2-64 Firmware » Version: 2.0.0.14
cpe:2.3:o:oracle:ethernet_switch_es2-64_firmware:2.0.0.14:*:*:*:*:*:*:*
Matching versions
When used together with: Oracle » Ethernet Switch Es2-64 » Version: N/A
Oracle » Ethernet Switch Es2-72 Firmware » Version: 2.0.0.14
cpe:2.3:o:oracle:ethernet_switch_es2-72_firmware:2.0.0.14:*:*:*:*:*:*:*
Matching versions
When used together with: Oracle » Ethernet Switch Es2-72 » Version: N/A
Oracle » Ethernet Switch Es1-24 Firmware » Version: 1.3.1
cpe:2.3:o:oracle:ethernet_switch_es1-24_firmware:1.3.1:*:*:*:*:*:*:*
Matching versions
When used together with: Oracle » Ethernet Switch Es1-24 » Version: N/A
Oracle » Ethernet Switch Tor-72 Firmware » Version: 1.2.2
cpe:2.3:o:oracle:ethernet_switch_tor-72_firmware:1.2.2:*:*:*:*:*:*:*
Matching versions
When used together with: Oracle » Ethernet Switch Tor-72 » Version: N/A
Openssl » Openssl
Versions from including (>=) 1.0.2 and up to, including, (<=) 1.0.2v
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
Matching versions
Fujitsu » M10-1 Firmware
Versions before (<) xcp2400
cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-1 » Version: N/A
Fujitsu » M10-1 Firmware
Versions before (<) xcp3100
cpe:2.3:o:fujitsu:m10-1_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-1 » Version: N/A
Fujitsu » M10-4 Firmware
Versions before (<) xcp2400
cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-4 » Version: N/A
Fujitsu » M10-4 Firmware
Versions before (<) xcp3100
cpe:2.3:o:fujitsu:m10-4_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-4 » Version: N/A
Fujitsu » M10-4s Firmware
Versions before (<) xcp2400
cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-4s » Version: N/A
Fujitsu » M10-4s Firmware
Versions before (<) xcp3100
cpe:2.3:o:fujitsu:m10-4s_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M10-4s » Version: N/A
Fujitsu » M12-1 Firmware
Versions before (<) xcp2400
cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-1 » Version: N/A
Fujitsu » M12-1 Firmware
Versions before (<) xcp3100
cpe:2.3:o:fujitsu:m12-1_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-1 » Version: N/A
Fujitsu » M12-2 Firmware
Versions before (<) xcp3100
cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-2 » Version: N/A
Fujitsu » M12-2 Firmware
Versions before (<) xcp2400
cpe:2.3:o:fujitsu:m12-2_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-2 » Version: N/A
Fujitsu » M12-2s Firmware
Versions before (<) xcp2400
cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-2s » Version: N/A
Fujitsu » M12-2s Firmware
Versions before (<) xcp3100
cpe:2.3:o:fujitsu:m12-2s_firmware:*:*:*:*:*:*:*:*
Matching versions
When used together with: Fujitsu » M12-2s » Version: N/A
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions