Vulnerability Description
The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openssl | Openssl | >= 1.0.2, <= 1.0.2v |
| Canonical | Ubuntu Linux | 16.04 |
| Debian | Debian Linux | 9.0 |
| Oracle | Jd Edwards World Security | a9.4 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.56 |
| Oracle | Ethernet Switch Es2-64 Firmware | 2.0.0.14 |
| Oracle | Ethernet Switch Es2-64 | - |
| Oracle | Ethernet Switch Es2-72 Firmware | 2.0.0.14 |
| Oracle | Ethernet Switch Es2-72 | - |
| Fujitsu | M10-1 Firmware | < xcp2400 |
| Fujitsu | M10-1 | - |
| Fujitsu | M10-4 Firmware | < xcp2400 |
| Fujitsu | M10-4 | - |
| Fujitsu | M10-4S Firmware | < xcp2400 |
| Fujitsu | M10-4S | - |
| Fujitsu | M12-1 Firmware | < xcp2400 |
| Fujitsu | M12-1 | - |
| Fujitsu | M12-2 Firmware | < xcp2400 |
| Fujitsu | M12-2 | - |
| Fujitsu | M12-2S Firmware | < xcp2400 |
Related Weaknesses (CWE)
References
- https://lists.debian.org/debian-lts-announce/2020/09/msg00016.htmlMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202210-02Third Party Advisory
- https://security.netapp.com/advisory/ntap-20200911-0004/Third Party Advisory
- https://usn.ubuntu.com/4504-1/Third Party Advisory
- https://www.openssl.org/news/secadv/20200909.txtVendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://www.oracle.com/security-alerts/cpujan2021.htmlThird Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/09/msg00016.htmlMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202210-02Third Party Advisory
- https://security.netapp.com/advisory/ntap-20200911-0004/Third Party Advisory
- https://usn.ubuntu.com/4504-1/Third Party Advisory
- https://www.openssl.org/news/secadv/20200909.txtVendor Advisory
FAQ
What is CVE-2020-1968?
CVE-2020-1968 is a vulnerability with a CVSS score of 3.7 (LOW). The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphers...
How severe is CVE-2020-1968?
CVE-2020-1968 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-1968?
Check the references section above for vendor advisories and patch information. Affected products include: Openssl Openssl, Canonical Ubuntu Linux, Debian Debian Linux, Oracle Jd Edwards World Security, Oracle Peoplesoft Enterprise Peopletools.