CVE-2016-7055
published 2017-05-04CVE-2016-7055: There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input…
PriorityP340medium5.9CVSS 3.1
AVNACHPRNUINSUCNINAH
EPSS
14.22%
96.1th percentile
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssl | < openssl 1.1.0c-1 (bookworm) | openssl 1.1.0c-1 (bookworm) |
| nodejs | node.js | 4.0.0 – 4.1.2 | — |
| nodejs | node.js | >= 4.2.0 < 4.7.3 | 4.7.3 |
| nodejs | node.js | 6.0.0 – 6.8.1 | — |
| nodejs | node.js | >= 6.9.0 < 6.9.5 | 6.9.5 |
| nodejs | node.js | >= 7.0.0 < 7.5.0 | 7.5.0 |
| openssl | openssl | >= 0 < 1.1.0c-1 | 1.1.0c-1 |
| openssl | openssl | >= 0 < 1.1.0c-1 | 1.1.0c-1 |
| openssl | openssl | >= 0 < 1.1.0c-1 | 1.1.0c-1 |
| openssl | openssl | >= 0 < 1.1.0c-1 | 1.1.0c-1 |
| openssl | openssl | >= 0 < 1.0.1f-1ubuntu2.22 | 1.0.1f-1ubuntu2.22 |
| openssl | openssl | >= 0 < 1.0.2g-1ubuntu4.6 | 1.0.2g-1ubuntu4.6 |
| openssl | openssl | >= 1.0.2 < 1.0.2k | 1.0.2k |
| openssl | openssl | >= 1.1.0 < 1.1.0c | 1.1.0c |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:N/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian5.9LOW
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-17:02.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2017-02-23·CVSS 5.9
CVE-2016-7055 [MEDIUM] FreeBSD-SA-17:02.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-17:02.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2017-02-23
Affects: All supported versions of FreeBSD.
Corrected: 2017-01-26 19:14:14 UTC (stable/11, 11.0-STABLE)
2017-02-23 07:11:48 UTC (releng/11.0, 11.0-RELEASE-p8)
2017-01-27 07:45:06 UTC (stable/10, 10.3-STABLE)
2017-02-23 07:12:18 UTC (releng/10.3, 10.3-RELEASE-p17)
CVE Name: CVE-2016-7055, CVE-2017-3731, CVE-2017-3732
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2017-01-31·CVSS 9.8
CVE-2016-2177 [CRITICAL] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
Guido Vranken discovered that OpenSSL used undefined behaviour when
performing pointer arithmetic. A remote attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service. This
issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other
releases were fixed in a previous security update. (CVE-2016-2177)
It was discovered that OpenSSL did not properly handle Montgomery
multiplication, resulting in incorrect results leading to transient
failures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10.
(CVE-2016-7055)
It was discovered that OpenSSL did not properly use constant-time
operations when performing ECDSA P-256 signing. A remote attacker could
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016
vendor_cisco·2016-11-14
CVE-2016-7053 [MEDIUM] CWE-119 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016
On November 10, 2016, the OpenSSL Software Foundation released a security advisory that describes three vulnerabilities. Of these vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and one as “Low Severity.”
Two of the vulnerabilities affect only recent OpenSSL versions in the 1.1.0 release series. The remaining Low Severity vulnerability affects OpenSSL versions in the 1.0.2 and 1.1.0 release series.
This advisory will be updated as additional information becomes available.
This advisory is available at the following link:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161114-openssl
Red Hat
openssl: Carry propagating bug in Montgomery multiplication
vendor_redhat·2016-10-11·CVSS 5.9
CVE-2016-7055 [MEDIUM] CWE-682 openssl: Carry propagating bug in Montgomery multiplication
openssl: Carry propagating bug in Montgomery multiplication
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was n
Debian
CVE-2016-7055: openssl - There is a carry propagating bug in the Broadwell-specific Montgomery multiplica...
vendor_debian·2016·CVSS 5.9
CVE-2016-7055 [MEDIUM] CVE-2016-7055: openssl - There is a carry propagating bug in the Broadwell-specific Montgomery multiplica...
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016
vendor_cisco
CVE-2016-7055 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016
CVE-2016-7055: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016
On November 10, 2016, the OpenSSL Software Foundation released a security advisory that describes three vulnerabilities. Of these vulnerabilities, the OpenSSL Software Foundation classifies one as “Critical Severity,” one as “Moderate Severity,” and one as “Low Severity.” Two of the vulnerabilities affect only recent OpenSSL versions in the 1.1.0 release series. The remaining Low Severity vulnerability affects OpenSSL versions in the 1.0.2 and 1.1.0 release series. This advisory will be updated as additional information becomes available. This advisory is available at the following link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161114-openssl
CWE: CWE-1
GHSA
GHSA-hxpw-pxmm-q49r: There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1
ghsa_unreviewed·2022-05-14
CVE-2016-7055 [MEDIUM] GHSA-hxpw-pxmm-q49r: There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are
OSV
CVE-2016-7055: There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1
osv·2017-05-04·CVSS 5.9
CVE-2016-7055 [MEDIUM] CVE-2016-7055: There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are
OSV
openssl vulnerabilities
osv·2017-01-31·CVSS 9.8
CVE-2016-2177 [CRITICAL] openssl vulnerabilities
openssl vulnerabilities
Guido Vranken discovered that OpenSSL used undefined behaviour when
performing pointer arithmetic. A remote attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service. This
issue only applied to Ubuntu 12.04 LTS and Ubuntu 14.04 LTS as other
releases were fixed in a previous security update. (CVE-2016-2177)
It was discovered that OpenSSL did not properly handle Montgomery
multiplication, resulting in incorrect results leading to transient
failures. This issue only applied to Ubuntu 16.04 LTS, and Ubuntu 16.10.
(CVE-2016-7055)
It was discovered that OpenSSL did not properly use constant-time
operations when performing ECDSA P-256 signing. A remote attacker could
possibly use this issue to perform a timing attack and recover
No detection rules found.
No public exploits indexed.
Tenable
[R5] SecurityCenter 5.4.3 Fixes Multiple Vulnerabilities
blogs_tenable·2017-02-14
[R5] SecurityCenter 5.4.3 Fixes Multiple Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
[R2] Nessus 6.10 Fixes Multiple Third-party Library Vulnerabilities
blogs_tenable·2017-02-01
[R2] Nessus 6.10 Fixes Multiple Third-party Library Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bugzilla
CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication
bugzilla·2016-11-10·CVSS 5.9
CVE-2016-7055 [MEDIUM] CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication
CVE-2016-7055 openssl: Carry propagating bug in Montgomery multiplication
Quoting form the OpenSSL upstream advisory:
Montgomery multiplication may produce incorrect results (CVE-2016-7055)
Severity: Low
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
and DH private keys are impossible. This is because the subroutine in
question is not used in operations with the private key itself and an input
of the attacker's direct choice. Otherwise the bug can manifest itself as
transient authentication and key negotiation failures or reproducible
erroneous outcome of public-key operations with specially crafted input.
Among EC algorithms
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.securityfocus.com/bid/94242http://www.securitytracker.com/id/1037261https://access.redhat.com/errata/RHSA-2018:2185https://access.redhat.com/errata/RHSA-2018:2186https://access.redhat.com/errata/RHSA-2018:2187https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03752en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03744en_ushttps://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.aschttps://security.gentoo.org/glsa/201702-07https://www.openssl.org/news/secadv/20161110.txthttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.tenable.com/security/tns-2017-04http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.securityfocus.com/bid/94242http://www.securitytracker.com/id/1037261https://access.redhat.com/errata/RHSA-2018:2185https://access.redhat.com/errata/RHSA-2018:2186https://access.redhat.com/errata/RHSA-2018:2187https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03752en_ushttps://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03744en_ushttps://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.aschttps://security.gentoo.org/glsa/201702-07https://www.openssl.org/news/secadv/20161110.txthttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.tenable.com/security/tns-2017-04
2017-05-04
Published