Advisory ID

12267

Release date

2016-03-02

Last Updated

2016-03-02

Issue Severity

No Impact

Source

Source

OpenSSL.org

Release date

2016-03-01

CVSS v2 Base Score

High

Problem Description

s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they *displace* encrypted-key bytes. This leads to an efficient divide-and-conquer key recovery attack: If an eavesdropper has intercepted an SSLv2 handshake, they can use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation.

Find more about CVE-2016-0703 from MITRE CVE directory.

Impact

None.

Affected Products

All FoxT products have the SSLv2 protocol disabled and are thus not affected by this vulnerability.

Workaround

N/A.

Obtaining Fixed Software

N/A.

External References

OpenSSL Security Advisory.


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018