CVE-2017-3738
published 2017-12-07CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis…
PriorityP339medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
13.41%
95.9th percentile
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th generation). Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732 and CVE-2015-3193. OpenSSL version 1.0.2-1.0.2m and 1.1.0-1.1.0g are affected. Fixed in OpenSSL 1.0.2n. Due to the low severity of this issue we are not issuing a new release of OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it becomes available. The fix is also available in commit e502cc86d in the OpenSSL git repository.
Affected
37 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | openssl | < openssl 1.1.0h-1 (bookworm) | openssl 1.1.0h-1 (bookworm) |
| nodejs | node.js | 4.0.0 – 4.1.2 | — |
| nodejs | node.js | >= 4.2.0 < 4.8.7 | 4.8.7 |
| nodejs | node.js | 6.0.0 – 6.8.1 | — |
| nodejs | node.js | >= 6.9.0 < 6.12.2 | 6.12.2 |
| nodejs | node.js | 8.0.0 – 8.8.1 | — |
| nodejs | node.js | >= 8.9.0 < 8.9.3 | 8.9.3 |
| nodejs | node.js | >= 9.0.0 < 9.2.1 | 9.2.1 |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_redhat7.5HIGH
vendor_ubuntu5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2017-12-11·CVSS 5.9
CVE-2017-3737 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
David Benjamin discovered that OpenSSL did not correctly prevent
buggy applications that ignore handshake errors from subsequently calling
certain functions. (CVE-2017-3737)
It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
multiplication procedure. While unlikely, a remote attacker could possibly
use this issue to recover private keys. (CVE-2017-3738)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
BSD
FreeBSD-SA-17:12.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2017-12-09·CVSS 5.9
CVE-2016-0701 [MEDIUM] FreeBSD-SA-17:12.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-17:12.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2017-12-09
Affects: All supported versions of FreeBSD.
Corrected: 2017-12-07 18:04:48 UTC (stable/11, 11.1-STABLE)
2017-12-09 03:44:26 UTC (releng/11.1, 11.1-RELEASE-p6)
2017-12-09 03:41:31 UTC (stable/10, 10.4-STABLE)
2017-12-09 03:45:23 UTC (releng/10.4, 10.4-RELEASE-p5)
2017-12-09 03:45:23 UTC (releng/10.3, 10.3-RELEASE-p26)
CVE Name: CVE-2017-3737, CVE-2017-3738
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effo
Red Hat
openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
vendor_redhat·2017-12-07·CVSS 7.5
CVE-2017-3738 [HIGH] CWE-190 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2
Debian
CVE-2017-3738: openssl - There is an overflow bug in the AVX2 Montgomery multiplication procedure used in...
vendor_debian·2017·CVSS 7.5
CVE-2017-3738 [HIGH] CVE-2017-3738: openssl - There is an overflow bug in the AVX2 Montgomery multiplication procedure used in...
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th gener
GHSA
GHSA-gj3m-w8pf-46c5: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2017-3738 [HIGH] CWE-200 GHSA-gj3m-w8pf-46c5: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th gener
OSV
openssl vulnerabilities
osv·2017-12-11·CVSS 5.9
CVE-2017-3737 [MEDIUM] openssl vulnerabilities
openssl vulnerabilities
David Benjamin discovered that OpenSSL did not correctly prevent
buggy applications that ignore handshake errors from subsequently calling
certain functions. (CVE-2017-3737)
It was discovered that OpenSSL incorrectly performed the x86_64 Montgomery
multiplication procedure. While unlikely, a remote attacker could possibly
use this issue to recover private keys. (CVE-2017-3738)
OSV
CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli
osv·2017-12-07·CVSS 7.5
CVE-2017-3738 [HIGH] CVE-2017-3738: There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701. This only affects processors that support the AVX2 but not ADX extensions like Intel Haswell (4th gener
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-3737 CVE-2017-3738 mingw-openssl: various flaws [fedora-all]
bugzilla·2017-12-08·CVSS 5.9
CVE-2017-3737 [MEDIUM] CVE-2017-3737 CVE-2017-3738 mingw-openssl: various flaws [fedora-all]
CVE-2017-3737 CVE-2017-3738 mingw-openssl: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedo
Bugzilla
CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 [fedora-all]
bugzilla·2017-12-08·CVSS 5.9
CVE-2017-3738 [MEDIUM] CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 [fedora-all]
CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
Bugzilla
CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
bugzilla·2017-12-08·CVSS 7.5
CVE-2017-3738 [HIGH] CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
CVE-2017-3738 openssl: rsaz_1024_mul_avx2 overflow bug on x86_64
There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this defect
would be very difficult to perform and are not believed likely. Attacks
against DH1024 are considered just feasible, because most of the work
necessary to deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have to share
the DH1024 private key among multiple clients, which is no longer an option
since CVE-2016-0701.
This only affects processors that su
Bugzilla
CVE-2017-3737 CVE-2017-3738 mingw-openssl: various flaws [epel-7]
bugzilla·2017-12-08·CVSS 5.9
CVE-2017-3737 [MEDIUM] CVE-2017-3737 CVE-2017-3738 mingw-openssl: various flaws [epel-7]
CVE-2017-3737 CVE-2017-3738 mingw-openssl: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update' r
Tenable
[R2] SecurityCenter 5.6.1 Fixes Multiple Third-party Vulnerabilities
blogs_tenable·2018-01-15
[R2] SecurityCenter 5.6.1 Fixes Multiple Third-party Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/102118http://www.securitytracker.com/id/1039978https://access.redhat.com/errata/RHSA-2018:0998https://access.redhat.com/errata/RHSA-2018:2185https://access.redhat.com/errata/RHSA-2018:2186https://access.redhat.com/errata/RHSA-2018:2187https://github.com/openssl/openssl/commit/e502cc86df9dafded1694fceb3228ee34d11c11ahttps://nodejs.org/en/blog/vulnerability/december-2017-security-releases/https://security.FreeBSD.org/advisories/FreeBSD-SA-17:12.openssl.aschttps://security.gentoo.org/glsa/201712-03https://security.netapp.com/advisory/ntap-20171208-0001/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_ushttps://www.debian.org/security/2017/dsa-4065https://www.debian.org/security/2018/dsa-4157https://www.openssl.org/news/secadv/20171207.txthttps://www.openssl.org/news/secadv/20180327.txthttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.tenable.com/security/tns-2017-16https://www.tenable.com/security/tns-2018-04https://www.tenable.com/security/tns-2018-06https://www.tenable.com/security/tns-2018-07http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/102118http://www.securitytracker.com/id/1039978https://access.redhat.com/errata/RHSA-2018:0998https://access.redhat.com/errata/RHSA-2018:2185https://access.redhat.com/errata/RHSA-2018:2186https://access.redhat.com/errata/RHSA-2018:2187https://github.com/openssl/openssl/commit/e502cc86df9dafded1694fceb3228ee34d11c11ahttps://nodejs.org/en/blog/vulnerability/december-2017-security-releases/https://security.FreeBSD.org/advisories/FreeBSD-SA-17:12.openssl.aschttps://security.gentoo.org/glsa/201712-03https://security.netapp.com/advisory/ntap-20171208-0001/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03881en_ushttps://www.debian.org/security/2017/dsa-4065https://www.debian.org/security/2018/dsa-4157https://www.openssl.org/news/secadv/20171207.txthttps://www.openssl.org/news/secadv/20180327.txthttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.tenable.com/security/tns-2017-16https://www.tenable.com/security/tns-2018-04https://www.tenable.com/security/tns-2018-06https://www.tenable.com/security/tns-2018-07
2017-12-07
Published