Vulnerability Details : CVE-2018-0733
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
Exploit prediction scoring system (EPSS) score for CVE-2018-0733
Probability of exploitation activity in the next 30 days: 1.45%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 85 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2018-0733
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
|
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
2.2
|
3.6
|
NIST |
References for CVE-2018-0733
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CPU Oct 2018
-
http://www.securitytracker.com/id/1040576
OpenSSL Bugs Let Users Deny Service and Bypass Authentication in Certain Cases - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.tenable.com/security/tns-2018-04
[R1] OpenSSL Stand-alone Patch Available for SecurityCenter versions 5.0 or Later - Security Advisory | Tenable®
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Oracle Critical Patch Update - July 2019
-
https://security.netapp.com/advisory/ntap-20180330-0002/
March 2018 OpenSSL Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019
-
https://security.gentoo.org/glsa/201811-21
OpenSSL: Multiple vulnerabilities (GLSA 201811-21) — Gentoo security
-
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
Oracle Critical Patch Update - January 2019
-
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f
git.openssl.org Git - openssl.git/commitdiffPatch;Vendor Advisory
-
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CPU July 2018
-
http://www.securityfocus.com/bid/103517
OpenSSL CVE-2018-0733 Security Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://www.tenable.com/security/tns-2018-06
[R1] Industrial Security 1.1.0 Fixes One Third-party Vulnerability - Security Advisory | Tenable®
-
https://www.tenable.com/security/tns-2018-07
[R1] Nessus Network Monitor 5.5.0 Fixes One Third-party Vulnerability - Security Advisory | Tenable®
-
https://www.openssl.org/news/secadv/20180327.txt
Vendor Advisory
Products affected by CVE-2018-0733
- cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*