cbcvebase.
CVE-2017-3737
published 2017-12-07

CVE-2017-3737: OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then…

PriorityP351medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
78.67%
99.5th percentile
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.

Affected

49 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiannodejs
debianopenssl< openssl 1.1.0b-2 (bookworm)openssl 1.1.0b-2 (bookworm)
nodejsnode.js4.0.0 – 4.1.2
nodejsnode.js>= 4.2.0 < 4.8.74.8.7
nodejsnode.js6.0.0 – 6.8.1
nodejsnode.js>= 6.9.0 < 6.12.26.12.2
nodejsnode.js8.0.0 – 8.8.1
nodejsnode.js>= 8.9.0 < 8.9.38.9.3
nodejsnode.js>= 9.0.0 < 9.2.19.2.1
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0
nodejsnodejs>= 0 < 8.9.3-r08.9.3-r0

Detection & IOCsextracted from sources · hover to see the quote

otherOpenSSL.Handshake.Error.State.Security.Bypass
  • Look for TLS sessions where a fatal handshake alert is followed immediately by application-layer data records on the same TCP connection/SSL object — this indicates the error state bypass is being exploited.
  • Monitor for attacker-controlled SSL servers sending malformed Server Hello messages to clients running OpenSSL 1.0.2b–1.0.2m, triggering ssl3_get_server_hello() fatal errors that set s->state to SSL_ST_ERR.
  • For Node.js environments, flag active network connections using TLS or HTTP/2 modules where TLS handshake failure is followed by continued data exchange, as Node.js was specifically vulnerable via SSL_read() misuse.
  • No authentication is required to exploit this vulnerability; any unauthenticated connection attempt to a vulnerable SSL endpoint should be considered a potential exploitation vector.
  • ·Only OpenSSL versions 1.0.2b through 1.0.2m are affected; OpenSSL 1.0.2n (patched) and OpenSSL 1.1.0 are NOT vulnerable.
  • ·Exploitation requires an application-level bug where SSL_read()/SSL_write() is called again after a fatal handshake error is returned — a correctly written application that checks errors is not exploitable.
  • ·The vulnerability does NOT affect the explicit handshake functions SSL_do_handshake(), SSL_accept(), and SSL_connect() — only direct calls to SSL_read()/SSL_write() are affected.
  • ·The 'error state' mechanism itself was only introduced in OpenSSL 1.0.2b; versions prior to 1.0.2b do not have this mechanism and are therefore not affected by this specific bypass.

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv9.1CRITICAL
vendor_debian9.1LOW
vendor_redhat9.1CRITICAL
vendor_ubuntu5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.