Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-1968

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).

Published

2020-09-09T14:15:12.507

Last Modified

2024-11-21T05:11:45.367

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.7 (LOW)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

2.9

Weaknesses

Type: Primary
CWE-203

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	openssl	openssl	≤ 1.0.2v	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Operating System	canonical	ubuntu_linux	18.04	Yes
Operating System	debian	debian_linux	9.0	Yes
Application	oracle	jd_edwards_world_security	a9.4	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.56	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.57	Yes
Application	oracle	peoplesoft_enterprise_peopletools	8.58	Yes
Operating System	oracle	ethernet_switch_es2-64_firmware	2.0.0.14	Yes
Hardware	oracle	ethernet_switch_es2-64	-	No
Operating System	oracle	ethernet_switch_es2-72_firmware	2.0.0.14	Yes
Hardware	oracle	ethernet_switch_es2-72	-	No
Operating System	fujitsu	m10-1_firmware	< xcp2400	Yes
Hardware	fujitsu	m10-1	-	No
Operating System	fujitsu	m10-4_firmware	< xcp2400	Yes
Hardware	fujitsu	m10-4	-	No
Operating System	fujitsu	m10-4s_firmware	< xcp2400	Yes
Hardware	fujitsu	m10-4s	-	No
Operating System	fujitsu	m12-1_firmware	< xcp2400	Yes
Hardware	fujitsu	m12-1	-	No
Operating System	fujitsu	m12-2_firmware	< xcp2400	Yes
Hardware	fujitsu	m12-2	-	No
Operating System	fujitsu	m12-2s_firmware	< xcp2400	Yes
Hardware	fujitsu	m12-2s	-	No
Operating System	fujitsu	m10-1_firmware	< xcp3100	Yes
Hardware	fujitsu	m10-1	-	No
Operating System	fujitsu	m10-4_firmware	< xcp3100	Yes
Hardware	fujitsu	m10-4	-	No
Operating System	fujitsu	m10-4s_firmware	< xcp3100	Yes
Hardware	fujitsu	m10-4s	-	No
Operating System	fujitsu	m12-1_firmware	< xcp3100	Yes
Hardware	fujitsu	m12-1	-	No
Operating System	fujitsu	m12-2_firmware	< xcp3100	Yes
Hardware	fujitsu	m12-2	-	No
Operating System	fujitsu	m12-2s_firmware	< xcp3100	Yes
Hardware	fujitsu	m12-2s	-	No
Operating System	oracle	ethernet_switch_es1-24_firmware	1.3.1	Yes
Hardware	oracle	ethernet_switch_es1-24	-	No
Operating System	oracle	ethernet_switch_tor-72_firmware	1.2.2	Yes
Hardware	oracle	ethernet_switch_tor-72	-	No

References

https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html Mailing List, Third Party Advisory ([email protected])
https://security.gentoo.org/glsa/202210-02 Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20200911-0004/ Third Party Advisory ([email protected])
https://usn.ubuntu.com/4504-1/ Third Party Advisory ([email protected])
https://www.openssl.org/news/secadv/20200909.txt Vendor Advisory ([email protected])
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuApr2021.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory ([email protected])
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202210-02 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20200911-0004/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4504-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.openssl.org/news/secadv/20200909.txt Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com//security-alerts/cpujul2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuApr2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2021.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuoct2021.html Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)