edit-icon download-icon

[Vulnerability notice] CVE-2017-3733: Encrypt-Then-Mac renegotiation DDoS vulnerability in OpenSSL

Last Updated: Apr 02, 2018

On February 16, 2017, OpenSSL released a security publication, announcing that the OpenSSL development team had fixed a severe DoS vulnerability, CVE-2017-3733.

This vulnerability was reported by Red Hat’s Joe Orton on January 31. It is an Encrypt-Then-MAC renegotiation crash vulnerability.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-3733

Vulnerability name

OpenSSL Encrypt-Then-Mac renegotiation DDoS vulnerability

Vulnerability rating

High

Vulnerability description

During a renegotiation handshake, if the Encrypt-Then-Mac extension is negotiated where it was not in the original handshake (or vice versa), then this can cause OpenSSL to crash (dependent on the ciphersuite), affecting both clients and servers.

Condition and method of exploitation

This vulnerability can be exploited to run code remotely.

Affected scope

OpenSSL 1.1.0

Unaffected version: 1.0.2

How to fix or mitigate

The latest version openssl-1.1.0e.tar.gz has been released officially. Upgrade your OpenSSL to the latest version as soon as possible.

Reference

[1]. https://www.openssl.org/news/secadv/20170216.txt
[2]. https://www.baidu.com/baidu?tn=dealio_dg&wd=Encrypt-Then-Mac+renegotiation+crash

Thank you! We've received your feedback.