Description
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sensitive private-key information via an attack against use of a (1) Diffie-Hellman (DH) or (2) Diffie-Hellman Ephemeral (DHE) ciphersuite.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6Attack Vector: Network
Complexity: Low
Privileges: None
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: None
Affected Packages4 packages
Also affects: Ubuntu Linux 12.04, 14.04, 15.04, 15.10
🔴Vulnerability Details
4GHSAGHSA-8m9h-2gxv-h3m7: The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5↗2022-05-17 OSVopenssl vulnerabilities↗2015-12-07 CVEListCVE-2015-3193: The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5↗2015-12-06 OSVCVE-2015-3193: The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5↗2015-12-06 📋Vendor Advisories
5AppleCVE-2015-3193: Xcode 8.1↗2016-10-27 UbuntuOpenSSL vulnerabilities↗2015-12-07 CiscoMultiple Vulnerabilities in OpenSSL (December 2015) Affecting Cisco Products↗2015-12-04 Red HatOpenSSL: BN_mod_exp may produce incorrect results on x86_64↗2015-12-03 DebianCVE-2015-3193: openssl - The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenS...↗2015 💬Community
3HackerOneBN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)↗2016-04-12 BugzillaCVE-2015-8618 golang: Carry propagation in Int.Exp Montgomery code in math/big library↗2015-12-21 BugzillaCVE-2015-3193 OpenSSL: BN_mod_exp may produce incorrect results on x86_64↗2015-12-04