Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
NONE Published: 2019-03-06
Updated: 2024-11-21
Summary
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j).
Vulnerable Configurations
Part | Description | Count |
Application | Openssl | 31 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.
- Signature Spoofing by Key Recreation
An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
- Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family | SuSE Local Security Checks |
NASL id | SUSE_SU-2019-0787-1.NASL |
description | This update for openssl-1_1 (OpenSSL Security Advisory [6 March 2019]) fixes the following issues : Security issue fixed : CVE-2019-1543: Fixed an implementation error in ChaCha20-Poly1305 where it was allowed to set IV with more than 12 bytes (bsc#1128189). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 123498 |
published | 2019-03-29 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/123498 |
title | SUSE SLED12 / SLES12 Security Update : openssl-1_1 (SUSE-SU-2019:0787-1) |
NASL family | Fedora Local Security Checks |
NASL id | FEDORA_2019-9A0A7C0986.NASL |
description | Patch for CVE-2018-0737, CVE-2018-0732, CVE-2018-0734, CVE-2019-1552, CVE-2019-1559. https://www.openssl.org/news/vulnerabilities.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 129368 |
published | 2019-09-26 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/129368 |
title | Fedora 29 : 1:compat-openssl10 (2019-9a0a7c0986) |
NASL family | Fedora Local Security Checks |
NASL id | FEDORA_2019-DB06EFDEA1.NASL |
description | Patch for CVE-2018-0737, CVE-2018-0732, CVE-2018-0734, CVE-2019-1552, CVE-2019-1559. https://www.openssl.org/news/vulnerabilities.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 129653 |
published | 2019-10-07 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/129653 |
title | Fedora 31 : 1:compat-openssl10 (2019-db06efdea1) |
NASL family | Debian Local Security Checks |
NASL id | DEBIAN_DSA-4475.NASL |
description | Joran Dirk Greef discovered that overly long nonces used with ChaCha20-Poly1305 were incorrectly processed and could result in nonce reuse. This doesn |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 126392 |
published | 2019-07-02 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/126392 |
title | Debian DSA-4475-1 : openssl - security update |
NASL family | SuSE Local Security Checks |
NASL id | OPENSUSE-2019-1147.NASL |
description | This update for openssl-1_1 (OpenSSL Security Advisory [6 March 2019]) fixes the following issues : Security issue fixed: 	 - CVE-2019-1543: Fixed an implementation error in ChaCha20-Poly1305 where it was allowed to set IV with more than 12 bytes (bsc#1128189). Other issues addressed : - Fixed a segfault in openssl speed when an unknown algorithm is passed (bsc#1125494). - Correctly skipped binary curves in openssl speed to avoid spitting errors (bsc#1116833). This update was imported from the SUSE:SLE-15:Update update project. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 123776 |
published | 2019-04-05 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/123776 |
title | openSUSE Security Update : openssl-1_1 (openSUSE-2019-1147) |
NASL family | Huawei Local Security Checks |
NASL id | EULEROS_SA-2019-1328.NASL |
description | According to the version of the openssl110f packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time.(CVE-2019-1543) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
last seen | 2020-05-06 |
modified | 2019-05-06 |
plugin id | 124614 |
published | 2019-05-06 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/124614 |
title | EulerOS 2.0 SP3 : openssl110f (EulerOS-SA-2019-1328) |
NASL family | SuSE Local Security Checks |
NASL id | OPENSUSE-2019-1814.NASL |
description | This update for virtualbox to version 6.0.10 fixes the following issues : Security issues fixed : - CVE-2019-2859 CVE-2019-2867 CVE-2019-2866 CVE-2019-2864 CVE-2019-2865 CVE-2019-1543 CVE-2019-2863 CVE-2019-2848 CVE-2019-2877 CVE-2019-2873 CVE-2019-2874 CVE-2019-2875 CVE-2019-2876 CVE-2019-2850 (boo#1141801) |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 127734 |
published | 2019-08-12 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/127734 |
title | openSUSE Security Update : virtualbox (openSUSE-2019-1814) |
NASL family | Web Servers |
NASL id | OPENSSL_1_1_0K.NASL |
description | The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 1.1.0k advisory. - ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. (CVE-2019-1543) Note that Nessus has not tested for this issue but has instead relied only on the application |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 125642 |
published | 2019-06-03 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/125642 |
title | OpenSSL 1.1.0 < 1.1.0k Vulnerability |
NASL family | Misc. |
NASL id | VIRTUALBOX_JUL_2019_CPU.NASL |
description | The version of Oracle VM VirtualBox running on the remote host is 5.2.x prior to 5.2.32 or 6.0.x prior to 6.0.10. It is, therefore, affected by multiple vulnerabilities as noted in the July 2019 Critical Patch Update advisory: - An unspecified vulnerabilities in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core), which could allow an authenticated, local attacker to takeover Oracle VM VirtualBox. (CVE-2019-2859, CVE-2019-2863, CVE-2019-2866, CVE-2019-2867) - An unspecified vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core (OpenSSL)), which could allow an unauthenticated, remote attacker to create, delete of modify critical data Oracle VM VirtualBox. (CVE-2019-1543) - An unspecified vulnerabilities in the Oracle VM VirtualBox component of Oracle Virtualization (subcomponent: Core), which could allow an authenticated, local attacker to cause a hang or repeatable crach (DoS) of Oracle VM VirtualBox. (CVE-2019-2848, CVE-2019-2873, CVE-2019-2874, CVE-2019-2875, CVE-2019-2876, CVE-2019-2877) |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 126778 |
published | 2019-07-18 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/126778 |
title | Oracle VM VirtualBox 5.2.x < 5.2.32 / 6.0.x < 6.0.10 (Jul 2019 CPU) |
NASL family | SuSE Local Security Checks |
NASL id | SUSE_SU-2019-0678-1.NASL |
description | This update for openssl-1_1 (OpenSSL Security Advisory [6 March 2019]) fixes the following issues : Security issue fixed : CVE-2019-1543: Fixed an implementation error in ChaCha20-Poly1305 where it was allowed to set IV with more than 12 bytes (bsc#1128189). Other issues addressed: Fixed a segfault in openssl speed when an unknown algorithm is passed (bsc#1125494). Correctly skipped binary curves in openssl speed to avoid spitting errors (bsc#1116833). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 123060 |
published | 2019-03-25 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/123060 |
title | SUSE SLED15 / SLES15 Security Update : openssl-1_1 (SUSE-SU-2019:0678-1) |
NASL family | Misc. |
NASL id | ORACLE_ENTERPRISE_MANAGER_APR_2020_CPU.NASL |
description | The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the April 2020 CPU advisory. - Perl before 5.26.3 and 5.28.x before 5.28.1 has a buffer overflow via a crafted regular expression that triggers invalid write operations. (CVE-2018-18311) - ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. Fixed in OpenSSL 1.1.1c (Affected 1.1.1-1.1.1b). Fixed in OpenSSL 1.1.0k (Affected 1.1.0-1.1.0j). (CVE-2019-1543) - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Discovery Framework (Oracle OHS)). Supported versions that are affected are 13.2.0.0 and 13.3.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform. (CVE-2020-2961) Note that Nessus has not tested for this issue but has instead relied only on the application |
last seen | 2020-04-23 |
modified | 2020-04-16 |
plugin id | 135679 |
published | 2020-04-16 |
reporter | This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/135679 |
title | Oracle Enterprise Manager Cloud Control (Apr 2020 CPU) |
NASL family | Web Servers |
NASL id | OPENSSL_1_1_1C.NASL |
description | The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 1.1.1c advisory. - ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. (CVE-2019-1543) Note that Nessus has not tested for this issue but has instead relied only on the application |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 125641 |
published | 2019-06-03 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/125641 |
title | OpenSSL 1.1.1 < 1.1.1c Vulnerability |
NASL family | FreeBSD Local Security Checks |
NASL id | FREEBSD_PKG_FC91F2EFFD7B11E9A1C7B499BAEBFEAF.NASL |
description | Oracle reports : This Critical Patch Update contains 31 new security fixes for Oracle MySQL. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 130496 |
published | 2019-11-04 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/130496 |
title | FreeBSD : MySQL -- Multiple vulerabilities (fc91f2ef-fd7b-11e9-a1c7-b499baebfeaf) |
NASL family | Misc. |
NASL id | ORACLE_MYSQL_CONNECTORS_CPU_OCT_2019.NASL |
description | The version of Oracle MySQL Connectors installed on the remote host is 8.0.x prior to 8.0.18 or 5.3.x prior to 5.3.14. It is, therefore, affected by the following vulnerabilities as noted in the October 2019 Critical Patch Update advisory: - An unspecified, remote security vulnerability in the Connector/ODBC component of Oracle MySQL Connectors. (CVE-2019-2920) - A vulnerability in the OpenSSL subcomponent of the Connector/ODBC component of Oracle MySQL Connectors caused by the ability to set variable nonce lengths in the ChaCha20-Poly1305 AEAD cipher. This could allow an unauthenticated, remote attacker to affect data confidentiality and integrity. (CVE-2019-1543) Note that Nessus has not tested for this issue but has instead relied only on the application |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 129974 |
published | 2019-10-16 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/129974 |
title | Oracle MySQL Connectors Multiple Vulnerabilities (Oct 2019 CPU) |
NASL family | Huawei Local Security Checks |
NASL id | EULEROS_SA-2019-1327.NASL |
description | According to the version of the openssl110f packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time.(CVE-2019-1543) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
last seen | 2020-05-06 |
modified | 2019-05-06 |
plugin id | 124613 |
published | 2019-05-06 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/124613 |
title | EulerOS 2.0 SP2 : openssl110f (EulerOS-SA-2019-1327) |
NASL family | Huawei Local Security Checks |
NASL id | EULEROS_SA-2019-1890.NASL |
description | According to the versions of the openssl110h packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. It is a requirement of using this cipher that nonce values are unique. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks. If an application changes the default nonce length to be longer than 12 bytes and then makes a change to the leading bytes of the nonce expecting the new value to be a new unique nonce then such an application could inadvertently encrypt messages with a reused nonce. Additionally the ignored bytes in a long nonce are not covered by the integrity guarantee of this cipher. Any application that relies on the integrity of these ignored leading bytes of a long nonce may be further affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe because no such use sets such a long nonce value. However user applications that use this cipher directly and set a non-default nonce length to be longer than 12 bytes may be vulnerable. OpenSSL versions 1.1.1 and 1.1.0 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time.(CVE-2019-1543) - OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the --prefix / --openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be |
last seen | 2020-05-08 |
modified | 2019-09-16 |
plugin id | 128813 |
published | 2019-09-16 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/128813 |
title | EulerOS 2.0 SP5 : openssl110h (EulerOS-SA-2019-1890) |
NASL family | Red Hat Local Security Checks |
NASL id | REDHAT-RHSA-2019-3700.NASL |
description | An update for openssl is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. The following packages have been upgraded to a later upstream version: openssl (1.1.1c). (BZ#1643026) Security Fix(es) : * openssl: timing side channel attack in the DSA signature algorithm (CVE-2018-0734) * openssl: timing side channel attack in the ECDSA signature generation (CVE-2018-0735) * openssl: ChaCha20-Poly1305 with long nonces (CVE-2019-1543) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 130567 |
published | 2019-11-06 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/130567 |
title | RHEL 8 : openssl (RHSA-2019:3700) |
NASL family | FreeBSD Local Security Checks |
NASL id | FREEBSD_PKG_E56F2F7C410E11E9B95CB499BAEBFEAF.NASL |
description | The OpenSSL project reports : Low: ChaCha20-Poly1305 with long nonces (CVE-2019-1543) ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for every encryption operation. RFC 7539 specifies that the nonce value (IV) should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and front pads the nonce with 0 bytes if it is less than 12 bytes. However it also incorrectly allows a nonce to be set of up to 16 bytes. In this case only the last 12 bytes are significant and any additional leading bytes are ignored. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 122686 |
published | 2019-03-08 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/122686 |
title | FreeBSD : OpenSSL -- ChaCha20-Poly1305 nonce vulnerability (e56f2f7c-410e-11e9-b95c-b499baebfeaf) |
NASL family | Fedora Local Security Checks |
NASL id | FEDORA_2019-00C25B9379.NASL |
description | Patch for CVE-2018-0737, CVE-2018-0732, CVE-2018-0734, CVE-2019-1552, CVE-2019-1559. https://www.openssl.org/news/vulnerabilities.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 129319 |
published | 2019-09-25 |
reporter | This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/129319 |
title | Fedora 30 : 1:compat-openssl10 (2019-00c25b9379) |
Redhat
advisories | bugzilla | id | 1714245 | title | DSA ciphers in TLS don't work with SHA-1 signatures even in LEGACY level |
| oval | OR | comment | Red Hat Enterprise Linux must be installed | oval | oval:com.redhat.rhba:tst:20070304026 |
AND | comment | Red Hat Enterprise Linux 8 is installed | oval | oval:com.redhat.rhba:tst:20193384074 |
OR | AND | comment | openssl is earlier than 1:1.1.1c-2.el8 | oval | oval:com.redhat.rhsa:tst:20193700001 |
comment | openssl is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20171929008 |
|
AND | comment | openssl-debugsource is earlier than 1:1.1.1c-2.el8 | oval | oval:com.redhat.rhsa:tst:20193700003 |
comment | openssl-debugsource is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhsa:tst:20193700004 |
|
AND | comment | openssl-devel is earlier than 1:1.1.1c-2.el8 | oval | oval:com.redhat.rhsa:tst:20193700005 |
comment | openssl-devel is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20171929002 |
|
AND | comment | openssl-perl is earlier than 1:1.1.1c-2.el8 | oval | oval:com.redhat.rhsa:tst:20193700007 |
comment | openssl-perl is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20171929004 |
|
AND | comment | openssl-libs is earlier than 1:1.1.1c-2.el8 | oval | oval:com.redhat.rhsa:tst:20193700009 |
comment | openssl-libs is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20171929010 |
|
|
|
|
| rhsa | id | RHSA-2019:3700 | released | 2019-11-05 | severity | Low | title | RHSA-2019:3700: openssl security, bug fix, and enhancement update (Low) |
|
|
rpms | - openssl-1:1.1.1c-2.el8
- openssl-debuginfo-1:1.1.1c-2.el8
- openssl-debugsource-1:1.1.1c-2.el8
- openssl-devel-1:1.1.1c-2.el8
- openssl-libs-1:1.1.1c-2.el8
- openssl-libs-debuginfo-1:1.1.1c-2.el8
- openssl-perl-1:1.1.1c-2.el8
|