exploit the possibilities
Showing 1 - 4 of 4 RSS Feed

CVE-2019-1559

Status Candidate

Overview

If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).

Related Files

Gentoo Linux Security Advisory 201903-10
Posted Mar 14, 2019
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201903-10 - Multiple Information Disclosure vulnerabilities in OpenSSL allow attackers to obtain sensitive information. Versions less than 1.0.2r are affected.

tags | advisory, vulnerability, info disclosure
systems | linux, gentoo
advisories | CVE-2018-5407, CVE-2019-1559
MD5 | b2e9c1b57341130f34be8af5a74d57be
Debian Security Advisory 4400-1
Posted Mar 1, 2019
Authored by Debian | Site debian.org

Debian Linux Security Advisory 4400-1 - Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL.

tags | advisory
systems | linux, debian
advisories | CVE-2019-1559
MD5 | 3ae403132ce04513055ca44d9713a40d
Slackware Security Advisory - openssl Updates
Posted Feb 27, 2019
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New openssl packages are available for Slackware 14.2 to fix a security issue.

tags | advisory
systems | linux, slackware
advisories | CVE-2019-1559
MD5 | b461424a888f769f20904a5db217b6d8
Ubuntu Security Notice USN-3899-1
Posted Feb 27, 2019
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3899-1 - Juraj Somorovsky, Robert Merget, and Nimrod Aviram discovered that certain applications incorrectly used OpenSSL and could be exposed to a padding oracle attack. A remote attacker could possibly use this issue to decrypt data.

tags | advisory, remote
systems | linux, ubuntu
advisories | CVE-2019-1559
MD5 | 649244f74bfef62f2e8d667bc9b80619
Page 1 of 1
Back1Next

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    5 Files
  • 21
    Apr 21st
    1 Files
  • 22
    Apr 22nd
    4 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close