CVE-2017-3736
published 2017-11-02CVE-2017-3736: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected…
PriorityP341medium6.5CVSS 3.0
AVNACLPRLUINSUCHINAN
EPSS
10.13%
95.1th percentile
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
Affected
47 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | openssl | < openssl 1.1.0h-1 (bookworm) | openssl 1.1.0h-1 (bookworm) |
| debian | openssl | < openssl 1.1.0g-1 (bookworm) | openssl 1.1.0g-1 (bookworm) |
| nodejs | node.js | 4.0.0 – 4.1.2 | — |
| nodejs | node.js | >= 4.2.0 < 4.8.7 | 4.8.7 |
| nodejs | node.js | 6.0.0 – 6.8.1 | — |
| nodejs | node.js | >= 6.9.0 < 6.12.2 | 6.12.2 |
| nodejs | node.js | 8.0.0 – 8.8.1 | — |
| nodejs | node.js | >= 8.9.0 < 8.9.3 | 8.9.3 |
| nodejs | node.js | >= 9.0.0 < 9.2.1 | 9.2.1 |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
vendor_redhat·2017-12-07·CVSS 7.5
CVE-2017-3738 [HIGH] CWE-190 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2
BSD
FreeBSD-SA-17:11.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2017-11-29·CVSS 5.3
CVE-2017-3735 [MEDIUM] FreeBSD-SA-17:11.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-17:11.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2017-11-29
Affects: All supported versions of FreeBSD.
Corrected: 2017-11-02 18:30:41 UTC (stable/11, 11.1-STABLE)
2017-11-29 05:59:12 UTC (releng/11.1, 11.1-RELEASE-p5)
2017-11-29 05:59:12 UTC (releng/11.0, 11.0-RELEASE-p16)
2017-11-29 05:35:28 UTC (stable/10, 10.4-STABLE)
2017-11-29 05:59:50 UTC (releng/10.4, 10.4-RELEASE-p4)
2017-11-29 05:59:50 UTC (releng/10.3, 10.3-RELEASE-p25)
CVE Name: CVE-2017-3735, CVE-2017-3736
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD includes software from the Open
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2017-11-06·CVSS 5.3
CVE-2017-3735 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
It was discovered that OpenSSL incorrectly parsed the IPAddressFamily
extension in X.509 certificates, resulting in an erroneous display of the
certificate in text format. (CVE-2017-3735)
It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
squaring procedure. While unlikely, a remote attacker could possibly use
this issue to recover private keys. This issue only applied to Ubuntu 16.04
LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-3736)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Red Hat
openssl: bn_sqrx8x_internal carry bug on x86_64
vendor_redhat·2017-11-02·CVSS 6.5
CVE-2017-3736 [MEDIUM] CWE-682 openssl: bn_sqrx8x_internal carry bug on x86_64
openssl: bn_sqrx8x_internal carry bug on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH
Debian
CVE-2017-3738: openssl - There is an overflow bug in the AVX2 Montgomery multiplication procedure used in...
vendor_debian·2017·CVSS 7.5
CVE-2017-3738 [HIGH] CVE-2017-3738: openssl - There is an overflow bug in the AVX2 Montgomery multiplication procedure used in...
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th gener
Debian
CVE-2017-3736: openssl - There is a carry propagating bug in the x86_64 Montgomery squaring procedure in ...
vendor_debian·2017·CVSS 6.5
CVE-2017-3736 [MEDIUM] CVE-2017-3736: openssl - There is a carry propagating bug in the x86_64 Montgomery squaring procedure in ...
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared betwe
GHSA
GHSA-72w7-9ghx-p5pg: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1
ghsa_unreviewed·2022-05-14
CVE-2017-3736 [MEDIUM] CWE-200 GHSA-72w7-9ghx-p5pg: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared betwe
GHSA
GHSA-gj3m-w8pf-46c5: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2017-3738 [HIGH] CWE-200 GHSA-gj3m-w8pf-46c5: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th gener
OSV
CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli
osv·2017-12-07·CVSS 7.5
CVE-2017-3738 [HIGH] CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th gener
OSV
openssl vulnerabilities
osv·2017-11-06·CVSS 5.3
CVE-2017-3735 [MEDIUM] openssl vulnerabilities
openssl vulnerabilities
It was discovered that OpenSSL incorrectly parsed the IPAddressFamily
extension in X.509 certificates, resulting in an erroneous display of the
certificate in text format. (CVE-2017-3735)
It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
squaring procedure. While unlikely, a remote attacker could possibly use
this issue to recover private keys. This issue only applied to Ubuntu 16.04
LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-3736)
OSV
CVE-2017-3736: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1
osv·2017-11-02·CVSS 6.5
CVE-2017-3736 [MEDIUM] CVE-2017-3736: There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared betwe
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
bugzilla·2017-12-08·CVSS 7.5
CVE-2017-3738 [HIGH] CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this defect
would be very difficult to perform and are not believed likely. Attacks
against DH1024 are considered just feasible, because most of the work
necessary to deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have to share
the DH1024 private key among multiple clients, which is no longer an option
since CVE-2016-0701.
This only affects processors that su
Bugzilla
CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
bugzilla·2017-11-03·CVSS 7.5
CVE-2017-3736 [HIGH] CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No
EC algorithms are affected. Analysis suggests that attacks against RSA and DSA
as a result of this defect would be very difficult to perform and are not
believed likely. Attacks against DH are considered just feasible (although very
difficult) because most of the work necessary to deduce information
about a private key may be performed offline. The amount of resources
required for such an attack would be very significant and likely only
accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that i
Bugzilla
CVE-2017-3735 CVE-2017-3736 openssl: various flaws [fedora-all]
bugzilla·2017-08-29·CVSS 5.3
CVE-2017-3735 [MEDIUM] CVE-2017-3735 CVE-2017-3736 openssl: various flaws [fedora-all]
CVE-2017-3735 CVE-2017-3736 openssl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. Wh
Bugzilla
CVE-2017-3735 CVE-2017-3736 mingw-openssl: various flaws [fedora-all]
bugzilla·2017-08-29·CVSS 5.3
CVE-2017-3735 [MEDIUM] CVE-2017-3735 CVE-2017-3736 mingw-openssl: various flaws [fedora-all]
CVE-2017-3735 CVE-2017-3736 mingw-openssl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedo
Tenable
[R1] Nessus 6.11.3 Fixes Multiple Third-party Vulnerabilities
blogs_tenable·2017-12-05
[R1] Nessus 6.11.3 Fixes Multiple Third-party Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
[R1] SecurityCenter 5.6.0.1 Fixes Multiple Third-party Vulnerabilities
blogs_tenable·2017-11-14
[R1] SecurityCenter 5.6.0.1 Fixes Multiple Third-party Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/101666http://www.securitytracker.com/id/1039727https://access.redhat.com/errata/RHSA-2018:0998https://access.redhat.com/errata/RHSA-2018:2185https://access.redhat.com/errata/RHSA-2018:2186https://access.redhat.com/errata/RHSA-2018:2187https://access.redhat.com/errata/RHSA-2018:2568https://access.redhat.com/errata/RHSA-2018:2575https://access.redhat.com/errata/RHSA-2018:2713https://github.com/openssl/openssl/commit/4443cf7aa0099e5ce615c18cee249fff77fb0871https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.aschttps://security.gentoo.org/glsa/201712-03https://security.netapp.com/advisory/ntap-20171107-0002/https://security.netapp.com/advisory/ntap-20180117-0002/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_ushttps://www.debian.org/security/2017/dsa-4017https://www.debian.org/security/2017/dsa-4018https://www.openssl.org/news/secadv/20171102.txthttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.tenable.com/security/tns-2017-14https://www.tenable.com/security/tns-2017-15http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/101666http://www.securitytracker.com/id/1039727https://access.redhat.com/errata/RHSA-2018:0998https://access.redhat.com/errata/RHSA-2018:2185https://access.redhat.com/errata/RHSA-2018:2186https://access.redhat.com/errata/RHSA-2018:2187https://access.redhat.com/errata/RHSA-2018:2568https://access.redhat.com/errata/RHSA-2018:2575https://access.redhat.com/errata/RHSA-2018:2713https://github.com/openssl/openssl/commit/4443cf7aa0099e5ce615c18cee249fff77fb0871https://security.FreeBSD.org/advisories/FreeBSD-SA-17:11.openssl.aschttps://security.gentoo.org/glsa/201712-03https://security.netapp.com/advisory/ntap-20171107-0002/https://security.netapp.com/advisory/ntap-20180117-0002/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_ushttps://www.debian.org/security/2017/dsa-4017https://www.debian.org/security/2017/dsa-4018https://www.openssl.org/news/secadv/20171102.txthttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.tenable.com/security/tns-2017-14https://www.tenable.com/security/tns-2017-15
2017-11-02
Published