SSL: OpenSSL ChaCha20-Poly1305 and RC4-MD5 Integer Underflow
An integer underflow vulnerability leading to an out of bounds read has been reported in OpenSSL. Successful exploitation results in denial of service conditions on the affected service.
Extended Description
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA20/POLY1305; users should upgrade to 1.1.0d. For Openssl 1.0.2, the crash can be triggered when using RC4-MD5; users who have not disabled that algorithm should update to 1.0.2k.
Affected Products
Nodejs node.js
Short Name
SSL:OPENSSL-CVE-2017-3731-DOS
Severity
Major
Recommended
False
Recommended Action
None
Category
SSL
Keywords
CVE-2017-3731 ChaCha20-Poly1305 Integer OpenSSL RC4-MD5 Underflow and bid:95813
Release Date
02/28/2017
Supported Platforms
srx-branch-12.3
srx-branch-19.3
vsrx3bsd-19.2
vsrx3bsd-19.4
srx-branch-19.4
vsrx-19.4
srx-19.4
vsrx-12.3
srx-12.3
vsrx-19.2
srx-19.3
vmx-19.4
mx-12.3
mx-19.4
mx-19.3
vmx-19.3
Sigpack Version
3735
False Positive
Occasionally
Vendors
Openssl
Nodejs
CVSS Score
5.0