CVE-2017-3733
published 2017-05-04CVE-2017-3733: During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause…
PriorityP342high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EPSS
12.87%
95.8th percentile
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | openssl | < openssl 1.1.0e-1 (bookworm) | openssl 1.1.0e-1 (bookworm) |
| hp | operations_agent | — | — |
| hp | operations_agent | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | >= 0 < 1.1.0e-1 | 1.1.0e-1 |
| openssl | openssl | >= 0 < 1.1.0e-1 | 1.1.0e-1 |
| openssl | openssl | >= 0 < 1.1.0e-1 | 1.1.0e-1 |
| openssl | openssl | >= 0 < 1.1.0e-1 | 1.1.0e-1 |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_cisco7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
openssl: Encrypt-Then-Mac renegotiation crash
vendor_redhat·2017-02-16·CVSS 7.5
CVE-2017-3733 [HIGH] openssl: Encrypt-Then-Mac renegotiation crash
openssl: Encrypt-Then-Mac renegotiation crash
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
It was found that changing the ciphersuite during a renegotiation of the Encrypt-Then-Mac extension could result in a crash of the OpenSSL server or client.
Package: openssl (Red Hat Enterprise Linux 5) - Not affected
Package: openssl097a (Red Hat Enterprise Linux 5) - Not affected
Package: openssl (Red Hat Enterprise Linux 6) - Not affected
Package: openssl098e (Red Hat Enterprise Linux 6) - Not affected
Package: openssl (Red Hat Enterprise Linux 7) - Not affected
Package: ope
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
vendor_cisco·2017-01-31·CVSS 7.5
CVE-2017-3730 [HIGH] CWE-310 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities. The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for November 2016 and included in the Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016. OpenSSL classifies all the new vulnerabilities as “Moderate Severity.”
The first vulnerability affects only OpenSSL used on 32-bit systems architecture and may cause OpenSSL to crash. The second vulnerability affects only version 1.1.0 and occurs only when OpenSSL is used on the client side. The second vulnerability may cause OpenSSL to crash when
Debian
CVE-2017-3733: openssl - During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated...
vendor_debian·2017·CVSS 7.5
CVE-2017-3733 [HIGH] CVE-2017-3733: openssl - During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated...
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
Scope: local
bookworm: resolved (fixed in 1.1.0e-1)
bullseye: resolved (fixed in 1.1.0e-1)
forky: resolved (fixed in 1.1.0e-1)
sid: resolved (fixed in 1.1.0e-1)
trixie: resolved (fixed in 1.1.0e-1)
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
vendor_cisco
CVE-2017-3733 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
CVE-2017-3733: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities. The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for November 2016 and included in the Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016 . OpenSSL classifies all the new vulnerabilities as “Moderate Severity.” The first vulnerability affects only OpenSSL used on 32-bit systems architecture and may cause OpenSSL to crash. The second vulnerability affects only version 1.1.0 and occurs only when OpenSSL is used on the client side. The second vulnerability may cause OpenSSL
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
vendor_cisco
CVE-2017-3732 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
CVE-2017-3732: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities. The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for November 2016 and included in the Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016 . OpenSSL classifies all the new vulnerabilities as “Moderate Severity.” The first vulnerability affects only OpenSSL used on 32-bit systems architecture and may cause OpenSSL to crash. The second vulnerability affects only version 1.1.0 and occurs only when OpenSSL is used on the client side. The second vulnerability may cause OpenSSL
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
vendor_cisco
CVE-2017-3730 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
CVE-2017-3730: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities. The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for November 2016 and included in the Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016 . OpenSSL classifies all the new vulnerabilities as “Moderate Severity.” The first vulnerability affects only OpenSSL used on 32-bit systems architecture and may cause OpenSSL to crash. The second vulnerability affects only version 1.1.0 and occurs only when OpenSSL is used on the client side. The second vulnerability may cause OpenSSL
Cisco
Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
vendor_cisco
CVE-2017-3731 Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
CVE-2017-3731: Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: January and February 2017
On January 26, 2017, the OpenSSL Software Foundation released a security advisory that included three new vulnerabilities. The foundation also released one vulnerability that was already disclosed in the OpenSSL advisory for November 2016 and included in the Cisco Security Advisory Multiple Vulnerabilities in OpenSSL Affecting Cisco Products: November 2016 . OpenSSL classifies all the new vulnerabilities as “Moderate Severity.” The first vulnerability affects only OpenSSL used on 32-bit systems architecture and may cause OpenSSL to crash. The second vulnerability affects only version 1.1.0 and occurs only when OpenSSL is used on the client side. The second vulnerability may cause OpenSSL
GHSA
GHSA-6553-6v42-5wqc: During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this
ghsa_unreviewed·2022-05-14
CVE-2017-3733 [HIGH] CWE-20 GHSA-6553-6v42-5wqc: During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
OSV
CVE-2017-3733: During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this
osv·2017-05-04·CVSS 7.5
CVE-2017-3733 [HIGH] CVE-2017-3733: During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this
During a renegotiation handshake if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice-versa) then this can cause OpenSSL 1.1.0 before 1.1.0e to crash (dependent on ciphersuite). Both clients and servers are affected.
No detection rules found.
No public exploits indexed.
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.securityfocus.com/bid/96269http://www.securitytracker.com/id/1037846https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_ushttps://www.openssl.org/news/secadv/20170216.txthttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.securityfocus.com/bid/96269http://www.securitytracker.com/id/1037846https://github.com/openssl/openssl/commit/4ad93618d26a3ea23d36ad5498ff4f59eff3a4d2https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03728en_ushttps://www.openssl.org/news/secadv/20170216.txthttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
2017-05-04
Published