[ASA-201712-11] lib32-openssl-1.0: multiple issues
Jelle van der Waa
jelle at archlinux.org
Sun Dec 17 21:09:03 UTC 2017
Arch Linux Security Advisory ASA-201712-11
Date : 2017-12-17
CVE-ID : CVE-2017-3735 CVE-2017-3736 CVE-2017-3737 CVE-2017-3738
Package : lib32-openssl-1.0
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-480
The package lib32-openssl-1.0 before version 1.0.2.n-1 is vulnerable to
multiple issues including information disclosure, private key recovery
and denial of service.
Upgrade to 1.0.2.n-1.
# pacman -Syu "lib32-openssl-1.0>=1.0.2.n-1"
The problems have been fixed upstream in version 1.0.2.n.
- CVE-2017-3735 (denial of service)
A security issue has been found in OpenSSL < 1.1.0g. If an X.509
certificate has a malformed IPAddressFamily extension, OpenSSL could do
a one-byte buffer overread. The most likely result would be an
erroneous display of the certificate in text format.
- CVE-2017-3736 (information disclosure)
A carry propagation bug has been found in OpenSSL < 1.1.0g in the
x86_64 Montgomery squaring procedure. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this
defect would be very difficult to perform and are not believed likely.
Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients.
This only affects processors that support the BMI1, BMI2 and ADX
extensions like Intel Broadwell (5th generation) and later or AMD
- CVE-2017-3737 (information disclosure)
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error
state" mechanism. The intent was that if a fatal error occurred during
a handshake then OpenSSL would move into the error state and would
immediately fail if you attempted to continue the handshake. This works
as designed for the explicit handshake functions (SSL_do_handshake(),
SSL_accept() and SSL_connect()), however due to a bug it does not work
correctly if SSL_read() or SSL_write() is called directly. In that
scenario, if the handshake fails then a fatal error will be returned in
the initial function call. If SSL_read()/SSL_write() is subsequently
called by the application for the same SSL object then it will succeed
and the data is passed without being decrypted/encrypted directly from
the SSL/TLS record layer. In order to exploit this issue an application
bug would have to be present that resulted in a call to
SSL_read()/SSL_write() being issued after having already received a
- CVE-2017-3738 (private key recovery)
There is an overflow bug in the AVX2 Montgomery multiplication
procedure used in exponentiation with 1024-bit moduli. No EC algorithms
are affected. Analysis suggests that attacks against RSA and DSA as a
result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH1024 are considered just feasible,
because most of the work necessary to deduce information about a
private key may be performed offline. The amount of resources required
for such an attack would be significant. However, for an attack on TLS
to be meaningful, the server would have to share the DH1024 private key
among multiple clients, which is no longer an option since
A remote attacker can cause a denial of service via a crafted X.509
certificate. Furthermore a remote attacker with online access to an
unpatched system on a vulnerable architecture can access sensitive
information like a private key.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: not available
More information about the arch-security