CVE-2017-1000385
published 2017-12-12CVE-2017-1000385: The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content…
PriorityP342medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
22.10%
97.4th percentile
The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | erlang | < erlang 1:20.1.7+dfsg-1 (bookworm) | erlang 1:20.1.7+dfsg-1 (bookworm) |
| erlang | erlang_otp | — | — |
| erlang | erlang_otp | — | — |
| erlang | erlang_otp | — | — |
| erlang | erlang_otp | >= 0 < 1:20.1.7+dfsg-1 | 1:20.1.7+dfsg-1 |
| erlang | erlang_otp | >= 0 < 1:20.1.7+dfsg-1 | 1:20.1.7+dfsg-1 |
| erlang | erlang_otp | >= 0 < 1:20.1.7+dfsg-1 | 1:20.1.7+dfsg-1 |
| erlang | erlang_otp | >= 0 < 1:20.1.7+dfsg-1 | 1:20.1.7+dfsg-1 |
| erlang | erlang_otp | >= 0 < 1:16.b.3-dfsg-1ubuntu2.2 | 1:16.b.3-dfsg-1ubuntu2.2 |
| erlang | erlang_otp | >= 0 < 1:18.3-dfsg-1ubuntu3.1 | 1:18.3-dfsg-1ubuntu3.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Erlang TLS server leaks distinguishable TLS alert types in response to RSA PKCS#1 1.5 padding errors, enabling a Bleichenbacher (Adaptive Chosen Ciphertext) oracle attack — monitor for high volumes of TLS ClientKeyExchange messages or repeated TLS handshake failures to the same server as an indicator of active oracle probing. ↗
- →Erlang TLS servers configured with RSA key-exchange cipher suites are specifically vulnerable; detection should focus on identifying such cipher suite negotiation in TLS handshakes against Erlang/OTP TLS endpoints. ↗
- ·Vulnerability is specific to Erlang/OTP TLS servers using RSA key-exchange cipher suites; servers using non-RSA key exchange (e.g., ECDHE, DHE) are not affected by this particular oracle. ↗
- ·Fixed in Erlang/OTP version 20.1.7 (Debian package 1:20.1.7+dfsg-1) and erlang-19.3.6.4 for Fedora 26/27; unpatched Erlang OTP TLS servers remain exploitable. ↗
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-957c-5x9m-m7rv: The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1
ghsa_unreviewed·2022-05-13
CVE-2017-1000385 [MEDIUM] CWE-203 GHSA-957c-5x9m-m7rv: The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1
The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).
OSV
erlang vulnerabilities
osv·2018-02-14·CVSS 7.5
CVE-2014-1693 [HIGH] erlang vulnerabilities
erlang vulnerabilities
It was discovered that the Erlang FTP module incorrectly handled certain
CRLF sequences. A remote attacker could possibly use this issue to inject
arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-1693)
It was discovered that Erlang incorrectly checked CBC padding bytes. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-2774)
It was discovered that Erlang incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Erlang to crash, resulting in a denial of service, or execute arbitrary
code. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-10253)
Hanno Böck, Juraj Somorovsky and Crai
OSV
CVE-2017-1000385: The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1
osv·2017-12-12·CVSS 5.9
CVE-2017-1000385 [MEDIUM] CVE-2017-1000385: The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1
The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).
Ubuntu
Erlang vulnerabilities
vendor_ubuntu·2018-02-14·CVSS 7.5
CVE-2014-1693 [HIGH] Erlang vulnerabilities
Title: Erlang vulnerabilities
Summary: Several security issues were fixed in Erlang.
It was discovered that the Erlang FTP module incorrectly handled certain
CRLF sequences. A remote attacker could possibly use this issue to inject
arbitrary FTP commands. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-1693)
It was discovered that Erlang incorrectly checked CBC padding bytes. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. This issue only affected Ubuntu 14.04 LTS.
(CVE-2015-2774)
It was discovered that Erlang incorrectly handled certain regular
expressions. A remote attacker could possibly use this issue to cause
Erlang to crash, resulting in a denial of service, or execute arbitrary
code. This issue only affected Ubuntu 16.
Red Hat
erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack
vendor_redhat·2017-11-23·CVSS 5.9
CVE-2017-1000385 [MEDIUM] CWE-300 erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack
erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack
The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).
An erlang TLS server configured with cipher suites using RSA key exchange, may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA. This may result in plain-text recovery of encrypted messages and/or a man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server’s private key itself.
Statement: This issue affects the versions of erlang as shipped with
Debian
CVE-2017-1000385: erlang - The Erlang otp TLS server answers with different TLS alerts to different error t...
vendor_debian·2017·CVSS 5.9
CVE-2017-1000385 [MEDIUM] CVE-2017-1000385: erlang - The Erlang otp TLS server answers with different TLS alerts to different error t...
The Erlang otp TLS server answers with different TLS alerts to different error types in the RSA PKCS #1 1.5 padding. This allows an attacker to decrypt content or sign messages with the server's private key (this is a variation of the Bleichenbacher attack).
Scope: local
bookworm: resolved (fixed in 1:20.1.7+dfsg-1)
bullseye: resolved (fixed in 1:20.1.7+dfsg-1)
forky: resolved (fixed in 1:20.1.7+dfsg-1)
sid: resolved (fixed in 1:20.1.7+dfsg-1)
trixie: resolved (fixed in 1:20.1.7+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-1000385 erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack [fedora-all]
bugzilla·2017-12-04·CVSS 5.9
CVE-2017-1000385 [MEDIUM] CVE-2017-1000385 erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack [fedora-all]
CVE-2017-1000385 erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit
Bugzilla
CVE-2017-1000385 erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack
bugzilla·2017-12-04·CVSS 5.9
CVE-2017-1000385 [MEDIUM] CVE-2017-1000385 erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack
CVE-2017-1000385 erlang: TLS server vulnerable to Adaptive Chosen Ciphertext attack allowing plaintext recovery or MITM attack
An erlang TLS server configured with cipher suites using rsa key exchange, may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) against RSA, which when exploited, may result in plaintext recovery of encrypted messages and/or a Man-in-the-middle (MiTM) attack, despite the attacker not having gained access to the server’s private key itself.
References:
https://groups.google.com/forum/#!topic/erlang-programming/J0LH-j6fRlM
Discussion:
Created erlang tracking bugs for this issue:
Affects: fedora-all [bug 1520401]
---
This is not high touch. As per IRC discussion earlier with Garth, making this high touch adds no value to anythi
http://erlang.org/pipermail/erlang-questions/2017-November/094255.htmlhttp://erlang.org/pipermail/erlang-questions/2017-November/094256.htmlhttp://erlang.org/pipermail/erlang-questions/2017-November/094257.htmlhttp://www.securityfocus.com/bid/102197https://access.redhat.com/errata/RHSA-2018:0242https://access.redhat.com/errata/RHSA-2018:0303https://access.redhat.com/errata/RHSA-2018:0368https://access.redhat.com/errata/RHSA-2018:0528https://lists.debian.org/debian-lts-announce/2017/12/msg00010.htmlhttps://robotattack.org/https://usn.ubuntu.com/3571-1/https://www.debian.org/security/2017/dsa-4057https://www.kb.cert.org/vuls/id/144389http://erlang.org/pipermail/erlang-questions/2017-November/094255.htmlhttp://erlang.org/pipermail/erlang-questions/2017-November/094256.htmlhttp://erlang.org/pipermail/erlang-questions/2017-November/094257.htmlhttp://www.securityfocus.com/bid/102197https://access.redhat.com/errata/RHSA-2018:0242https://access.redhat.com/errata/RHSA-2018:0303https://access.redhat.com/errata/RHSA-2018:0368https://access.redhat.com/errata/RHSA-2018:0528https://lists.debian.org/debian-lts-announce/2017/12/msg00010.htmlhttps://robotattack.org/https://usn.ubuntu.com/3571-1/https://www.debian.org/security/2017/dsa-4057https://www.kb.cert.org/vuls/id/144389
2017-12-12
Published