Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-3730

CWE-476 — NULL Pointer Dereference CWE-310 CWE-39910 documents10 sources

Severity

7.5HIGH

EPSS

52.9%

top 2.05%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Openssl Openssl Oracle Agile Engineering Data Management Oracle Communications Application Session Controller +4 more

Timeline

PublishedMay 4

Latest updateMay 14

Description

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this can result in the client attempting to dereference a NULL pointer leading to a client crash. This could be exploited in a Denial of Service attack.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages9 packages

▶Debianopenssl< 1.1.0d-1+3

▶CVEListV5openssl/openssl4 versions+3

▶NVDopenssl/openssl4 versions+3

▶NVDoracle/jd_edwards_world_security4 versions+3

▶NVDoracle/jd_edwards_enterpriseone_tools9.2

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-rq64-8m54-26j4: In OpenSSL 1↗2022-05-14

▶

CVEList

Bad (EC)DHE parameters cause a client crash↗2017-05-04

▶

OSV

CVE-2017-3730: In OpenSSL 1↗2017-05-04

▶

💥Exploits & PoCs

Exploit-DB

OpenSSL 1.1.0 - Remote Client Denial of Service↗2017-01-26

▶

📋Vendor Advisories

Cisco

Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017↗2017-01-31

▶

Red Hat

openssl: Bad (EC)DHE parameters cause a client crash↗2017-01-26

▶

Debian

CVE-2017-3730: openssl - In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters fo...↗2017

▶

💬Community

HackerOne

CVE-2017-3730: Bad (EC)DHE parameters cause a client crash↗2017-02-07

▶

Bugzilla

CVE-2017-3730 openssl: Bad (EC)DHE parameters cause a client crash↗2017-01-26

▶