CVE-2020-1968

Upstream information

CVE-2020-1968 at MITRE

Description

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).

---

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v2 Scores

	National Vulnerability Database
Base Score	4.3
Vector	AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector	Network
Access Complexity	Medium
Authentication	None
Confidentiality Impact	Partial
Integrity Impact	None
Availability Impact	None

CVSS v3 Scores

	National Vulnerability Database	SUSE
Base Score	3.7	5.3
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Access Vector	Network	Network
Access Complexity	High	High
Privileges Required	None	Low
User Interaction	None	None
Scope	Unchanged	Unchanged
Confidentiality Impact	Low	High
Integrity Impact	None	None
Availability Impact	None	None
CVSSv3 Version	3.1	3.1

Note from the SUSE Security Team

This was fixed in openssl 1.0.2f and later versions, our openssl 1.0.2 are not affected by this problem.

SUSE Bugzilla entries: 1176331 [IN_PROGRESS], 1177243 [RESOLVED / WORKSFORME]

SUSE Security Advisories:

• SUSE-SU-2020:14491-1, published Tue Sep 15 07:16:26 MDT 2020
• SUSE-SU-2020:14511-1, published Mon Oct 5 13:15:15 MDT 2020
• SUSE-SU-2020:2634-1, published Tue Sep 15 07:14:20 MDT 2020
• TID000019697, published Thu Sep 10 09:35:51 CEST 2020

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Linux Enterprise Module for Legacy 12	libopenssl0_9_8 >= 0.9.8j-106.21.1 libopenssl0_9_8-32bit >= 0.9.8j-106.21.1	Patchnames: SUSE-SLE-Module-Legacy-12-2020-2634
SUSE Linux Enterprise Point of Sale 11 SP3	libopenssl-devel >= 0.9.8j-0.106.34.1 libopenssl0_9_8 >= 0.9.8j-0.106.34.1 libopenssl0_9_8-hmac >= 0.9.8j-0.106.34.1 openssl >= 0.9.8j-0.106.34.1 openssl-doc >= 0.9.8j-0.106.34.1	Patchnames: sleposp3-openssl-14491
SUSE Linux Enterprise Server 11 SP4-LTSS	libopenssl0_9_8 >= 0.9.8j-0.106.34.1 libopenssl0_9_8-32bit >= 0.9.8j-0.106.34.1 libopenssl0_9_8-hmac >= 0.9.8j-0.106.34.1 libopenssl0_9_8-hmac-32bit >= 0.9.8j-0.106.34.1 openssl >= 0.9.8j-0.106.34.1 openssl-doc >= 0.9.8j-0.106.34.1	Patchnames: slessp4-openssl-14491
SUSE Linux Enterprise Server 11-SECURITY	libopenssl1-devel >= 1.0.1g-0.58.27.2 libopenssl1_0_0 >= 1.0.1g-0.58.27.2 libopenssl1_0_0-32bit >= 1.0.1g-0.58.27.2 libopenssl1_0_0-x86 >= 1.0.1g-0.58.27.2 openssl1 >= 1.0.1g-0.58.27.2 openssl1-doc >= 1.0.1g-0.58.27.2	Patchnames: secsp3-openssl1-14511
SUSE Linux Enterprise Server for SAP Applications 12 SP2	libopenssl0_9_8 >= 0.9.8j-106.21.1	Patchnames: SUSE-SLE-SAP-12-SP2-2020-2634
SUSE Linux Enterprise Server for SAP Applications 12 SP3	libopenssl0_9_8 >= 0.9.8j-106.21.1	Patchnames: SUSE-SLE-SAP-12-SP3-2020-2634
SUSE Linux Enterprise Server for SAP Applications 12 SP4	libopenssl0_9_8 >= 0.9.8j-106.21.1	Patchnames: SUSE-SLE-SAP-12-SP4-2020-2634
SUSE Linux Enterprise Server for SAP Applications 12 SP5	libopenssl0_9_8 >= 0.9.8j-106.21.1	Patchnames: SUSE-SLE-SAP-12-SP5-2020-2634

---

Status of this issue by product and package

Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.

Product(s)	Source package	State
CAASP (1.0)	openssl	Not affected
CAASP (2.0)	openssl	Not affected
CAASP (3.0)	openssl	Not affected
Carwos (1)	openssl-1_1	Not affected
SLE-10-SP2 (n/a)	openssl	Not affected
SLE-10-SP3-MANAGER (n/a)	openssl	Unsupported
SLE-HPC (12)	openssl	Not affected
SLE-HPC (12)	openssl-1_0_0	Not affected
SLE-HPC (12)	openssl-1_1	Not affected
SLED (12)	compat-openssl098	Released
SLED (12)	openssl	Not affected
SLED (12)	openssl-1_0_0	Not affected
SLED (12)	openssl-1_1	Not affected
SLED-10-SP3 (n/a)	compat-openssl097g	Ignore
SLED-10-SP3 (n/a)	openssl	Ignore
SLED-10-SP4 (n/a)	compat-openssl097g	Ignore
SLED-10-SP4 (n/a)	openssl	Ignore
SLES (12)	openssl	Not affected
SLES (12)	openssl-1_0_0	Not affected
SLES (12)	openssl-1_1	Not affected
SLES-10-SP3 (n/a)	compat-openssl097g	Ignore
SLES-10-SP3 (n/a)	openssl	Ignore
SLES-10-SP4 (n/a)	compat-openssl097g	Ignore
SLES-10-SP4 (n/a)	openssl	Ignore
SLES-BCL (12)	openssl	Not affected
SLES-LTSS (12)	openssl	Unsupported
SLES-LTSS (12)	openssl-1_0_0	Not affected
SLES-LTSS (12)	openssl-1_1	Not affected
SLES-LTSS (15)	openssl	Not affected
SLES-LTSS (15)	openssl-1_0_0	Not affected
SLES-LTSS (15)	openssl-1_1	Not affected
SLES-for-VMware (11)	openssl	Unsupported
SLES_LTSS-10-SP4 (n/a)	compat-openssl097g	Ignore
SLES_LTSS-10-SP4 (n/a)	openssl	Ignore
SLES_RPI (12)	openssl	Not affected
SLES_SAP (12)	compat-openssl098	Released
SLES_SAP (12)	openssl	Not affected
SLES_SAP (12)	openssl-1_0_0	Not affected
SLES_SAP (12)	openssl-1_1	Not affected
SLE_HPC-ESPOS (15)	openssl	Not affected
SLE_HPC-ESPOS (15)	openssl-1_1	Not affected
SLE_HPC-LTSS (15)	openssl	Not affected
SLE_HPC-LTSS (15)	openssl-1_1	Not affected
SUSE_SLED (11)	compat-openssl097g	Ignore
SUSE_SLED (11)	openssl	Unsupported
SUSE_SLES (11)	openssl	Unsupported
SUSE_SLES_LTSS (11)	openssl	Unsupported
SUSE_SLES_SAP (11)	compat-openssl097g	Ignore
SUSE_SLES_SAP (11)	openssl	Unsupported
openstack-cloud-magnum-orchestration (7)	openssl	Not affected
sap-aio (11)	compat-openssl097g	Ignore
sap-aio (11)	openssl	Unsupported
sap-es (11)	compat-openssl097g	Ignore
sap-es (11)	openssl	Unsupported
ses (6)	openssl-1_0_0	Not affected
sle-module-basesystem (15)	openssl	Not affected
sle-module-basesystem (15)	openssl-1_1	Unsupported
sle-module-legacy (12)	compat-openssl098	Released
sle-module-legacy (15)	openssl-1_0_0	Not affected
sle-pos (11)	openssl	Released
sle-sdk (11)	openssl	Unsupported
sle-sdk (12)	openssl	Not affected
sle-sdk (12)	openssl-1_0_0	Not affected
sle-sdk (12)	openssl-1_1	Not affected
sle-security (11)	openssl1	Released
sle-studioonsite (1.3)	openssl	Unsupported