OpenSSL Security Advisory

Dmitry Belyavsky beldmit at
Wed Sep 9 12:44:53 UTC 2020

Is the description of the attack publicly available?

On Wed, Sep 9, 2020 at 3:39 PM OpenSSL <openssl at> wrote:

> Hash: SHA512
> OpenSSL Security Advisory [09 September 2020]
> =============================================
> Raccoon Attack (CVE-2020-1968)
> ==============================
> Severity: Low
> The Raccoon attack exploits a flaw in the TLS specification which can lead
> to
> an attacker being able to compute the pre-master secret in connections
> which
> have used a Diffie-Hellman (DH) based ciphersuite. In such a case this
> would
> result in the attacker being able to eavesdrop on all encrypted
> communications
> sent over that TLS connection. The attack can only be exploited if an
> implementation re-uses a DH secret across multiple TLS connections. Note
> that
> this issue only impacts DH ciphersuites and not ECDH ciphersuites.
> OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret
> and
> does not implement any "static" DH ciphersuites.
> OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH
> ciphersuite is used. These static "DH" ciphersuites are ones that start
> with the
> text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for
> these
> ciphersuites all start with "TLS_DH_" but excludes those that start with
> "TLS_DH_anon_".
> OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS
> connections in server processes unless the SSL_OP_SINGLE_DH_USE option was
> explicitly configured. Therefore all ciphersuites that use DH in servers
> (including ephemeral DH) are vulnerable in these versions. In OpenSSL
> 1.0.2f
> SSL_OP_SINGLE_DH_USE was made the default and it could not be turned off
> as a
> response to CVE-2016-0701.
> Since the vulnerability lies in the TLS specification, fixing the affected
> ciphersuites is not viable. For this reason 1.0.2w moves the affected
> ciphersuites into the "weak-ssl-ciphers" list. Support for the
> "weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause
> interoperability problems in most cases since use of these ciphersuites is
> rare.
> Support for the "weak-ssl-ciphers" can be added back by configuring
> OpenSSL at
> compile time with the "enable-weak-ssl-ciphers" option. This is not
> recommended.
> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
> Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w.  If
> upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure
> that affected ciphersuites are disabled through runtime configuration. Also
> note that the affected ciphersuites are only available on the server side
> if a
> DH certificate has been configured. These certificates are very rarely
> used and
> for this reason this issue has been classified as LOW severity.
> This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and
> Juraj
> Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order
> to
> allow co-ordinated disclosure with other implementations.
> Note
> ====
> OpenSSL 1.0.2 is out of support and no longer receiving public updates.
> Extended
> support is available for premium support customers:
> OpenSSL 1.1.0 is out of support and no longer receiving updates of any
> kind.
> The impact of this issue on OpenSSL 1.1.0 has not been analysed.
> Users of these versions should upgrade to OpenSSL 1.1.1.
> References
> ==========
> URL for this Security Advisory:
> Note: the online version of the advisory may be updated with additional
> details
> over time.
> For details of OpenSSL severity classifications please see:
> iQIzBAEBCgAdFiEEeVOsH7w9yLOykjk+1enkP3357owFAl9YzBsACgkQ1enkP335
> 7oyIxg/9FWuca3/s/lY6g6a5VTPIekZMOLRUnDyzS3YePQu/sEd1w81mKoTqU+6F
> KQmliGqdRDk+KN8HDVd14kcLBukto8UKmkp9FpB5J4d2KK1I/Fg/DofJs6xUQYKb
> G+wieFzexHQVdleVYT/VaJ6qS8AwvohBbt8h7yK0P6v/4vEm0spDbUmjWJBVUlUu
> QZyELjj8XZR3YFxt3axSuJg3JSGYlaMzkt2+DVq4qEzeJLIydLK9J8p6RNwPhsJk
> Rx0ez8P4N+5O7XmA0nHv3HyompdMgHlvykj8Ks4lNHVS02KKLi1jDtmOxl3Fm/hb
> ZNOmjn7lulV1342pw4rWL3Nge3x0s0Q5zgBCm1mqLzzu/V1ksx8FJwGA1w2cH280
> dU9VedkC2wvFQije8pFrWH9l6N9Bh41DIEOnlBl0AL7IrbPdO6yMcD6vpR7hWjr3
> fx4hNJSAGzJ3i/NXlSj4eR/47zkjfJyEc8Drc2QgewyqXFrK20X/LOj8MqJlc+ry
> pXZseh+XC8WaYDMV1ltrKvE2Ld9/0f3Ydc04AcDeu5SXPJG79ogzVnchZok7+XCj
> RT+a3/ES45+CTfL5v27t5QJxJcxg4siLVsILfi0rIUv0IYgH2fU=
> =U7OO

SY, Dmitry Belyavsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-project mailing list