Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

CVE-2018-0732

CVE information

Published

4 years ago

Last Modified

5 months ago

CVSSv2.0 Severity

Medium

CVSSv3.1 Severity

High

Impact Analysis

Description

During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client has finished. This could be exploited in a Denial Of Service attack. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2-1.0.2o)..

CVSSv2.0 Score

Severity
Medium
Base Score
5/10
Exploit Score
10/10
Access Vector
Network
Access Complexity
Low
Authentication Required
None
Impact Score
2.9/10
Confidentiality Impact
None
Availability Impact
Partial
Integrity Impact
None

CVSSv3.1 Score

Severity
High
Base Score
7.5/10
Exploit Score
3.9/10
Access Vector
Network
Access Complexity
Low
Privileges Required
None
Impact Score
3.6/10
Confidentiality Impact
None
Availability Impact
High
Integrity Impact
None
Scope
Unchanged
User Interaction
None

Products Affected

CPE Affected Vulnerable Excluding Edit
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
  Yes
1.1.0 -
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*
  Yes
1.0.2 -
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  Yes
- -
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  Yes
- -
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
  Yes
- -
cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  Yes
- -
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Yes
8.9.0 8.11.4
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Yes
8.0.0 8.8.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Yes
10.0.0 10.9.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
  Yes
6.9.0 6.14.4
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
  Yes
6.0.0 6.8.1

References