Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2012-2686 — Openssl vulnerability

CWE-31011 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

66.1%

top 1.48%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Openssl Debian Openssl

Timeline

PublishedFeb 8

Latest updateMay 14

Description

crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and 1.2 implementations in OpenSSL 1.0.1 before 1.0.1d allows remote attackers to cause a denial of service (application crash) via crafted CBC data.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶debiandebian/openssl< openssl 1.0.1e-1 (bookworm)

▶Debianopenssl/openssl< 1.0.1e-1+3

▶NVDopenssl/openssl4 versions+3

🔴Vulnerability Details

GHSA

GHSA-5r46-h84j-rjp5: crypto/evp/e_aes_cbc_hmac_sha1↗2022-05-14

▶

OSV

CVE-2012-2686: crypto/evp/e_aes_cbc_hmac_sha1↗2013-02-08

▶

💥Exploits & PoCs

Metasploit

OpenSSL TLS 1.1 and 1.2 AES-NI DoS↗

▶

📋Vendor Advisories

Ubuntu

OpenSSL vulnerability↗2013-03-25

▶

Ubuntu

OpenSSL regression↗2013-02-28

▶

Ubuntu

OpenSSL vulnerabilities↗2013-02-21

▶

Red Hat

openssl: DoS due to improper handling of CBC ciphersuites in TLS 1.1/1.2 on AES-NI supporting platforms↗2013-02-05

▶

Debian

CVE-2012-2686: openssl - crypto/evp/e_aes_cbc_hmac_sha1.c in the AES-NI functionality in the TLS 1.1 and ...↗2012

▶

💬Community

Bugzilla

CVE-2012-2686 openssl: DoS due to improper handling of CBC ciphersuites in TLS 1.1/1.2 on AES-NI supporting platforms↗2013-02-05

▶

Bugzilla

CVE-2012-2686 openssl: DoS due to improper handling of CBC ciphersuites in TLS 1.1/1.2 on AES-NI supporting platforms [fedora-18]↗2013-02-05

▶