CVE-2019-1551
moderate-risk
Published 2019-12-06
There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).
Do I need to act?
~
3.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10
Medium
NETWORK
/ LOW complexity
Affected Products (16)
References (48)
Third Party Advisory
http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-...
Mailing List
https://seclists.org/bugtraq/2019/Dec/39
Mailing List
https://seclists.org/bugtraq/2019/Dec/46
Third Party Advisory
https://security.gentoo.org/glsa/202004-10
Third Party Advisory
https://security.netapp.com/advisory/ntap-20191210-0001/
Third Party Advisory
https://usn.ubuntu.com/4376-1/
Third Party Advisory
https://usn.ubuntu.com/4504-1/
Third Party Advisory
https://www.debian.org/security/2019/dsa-4594
Third Party Advisory
https://www.debian.org/security/2021/dsa-4855
Vendor Advisory
https://www.openssl.org/news/secadv/20191206.txt
and 28 more references
46
/ 100
moderate-risk
Severity
21/34 · High
Exploitability
7/34 · Low
Exposure
18/34 · Moderate