CVE-2022-1434 — Use of a Broken or Risky Cryptographic Algorithm in Openssl

CWE-327 — Use of a Broken or Risky Cryptographic Algorithm11 documents7 sources

Severity

5.9MEDIUMNVD

OSV7.3

EPSS

0.1%

top 79.43%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Openssl Debian Openssl

Timeline

PublishedMay 3

Latest updateJun 15

Description

The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the AAD data as the MAC key. This makes the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the co…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶NVDopenssl/openssl3.0.0 — 3.0.3

▶Alpineopenssl/openssl< 3.0.3-r0+6

▶Ubuntuopenssl/openssl< 1.1.1-1ubuntu2.1~18.04.17+2

▶debiandebian/openssl

▶CVEListV5openssl/opensslFixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2)

🔴Vulnerability Details

OSV

openssl, openssl1.0 vulnerabilities↗2022-05-04

▶

OSV

Incorrect MAC key used in the RC4-MD5 ciphersuite↗2022-05-04

▶

GHSA

Incorrect MAC key used in the RC4-MD5 ciphersuite↗2022-05-04

▶

OSV

CVE-2022-1434: The OpenSSL 3↗2022-05-03

▶

OSV

Incorrect MAC key used in the RC4-MD5 ciphersuite↗2022-05-03

▶

📋Vendor Advisories

CISA ICS

Siemens SIMATIC S7-1500 TM MFP Linux Kernel↗2023-06-15

▶

CISA ICS

Siemens Brownfield Connectivity Client↗2023-02-16

▶

Ubuntu

OpenSSL vulnerabilities↗2022-05-04

▶

Red Hat

openssl: Incorrect MAC key used in the RC4-MD5 ciphersuite↗2022-05-03

▶

Debian

CVE-2022-1434: openssl - The OpenSSL 3.0 implementation of the RC4-MD5 ciphersuite incorrectly uses the A...↗2022

▶