Erlang OTP TLS Server Vulnerability in RSA PKCS #1 1.5 Padding
CVE-2017-1000385

5.9MEDIUM

Key Information:

Vendor

Erlang

Status
Erlang\/otp
Vendor
CVE Published:
12 December 2017

What is CVE-2017-1000385?

The Erlang OTP TLS server is susceptible to a vulnerability where differential TLS alerts are generated in response to various RSA PKCS #1 1.5 padding errors. This could allow malicious actors to exploit the server by decrypting sensitive information or signing messages using the server's private key, similar to techniques utilized in the Bleichenbacher attack. This security flaw emphasizes the need for secure error handling in cryptographic implementations to safeguard against potential exploits.

References

https://usn.ubuntu.com/3571-1/
vendor-advisoryx_refsource_UBUNTU
https://access.redhat.com/errata/RHSA-2018:0528
vendor-advisoryx_refsource_REDHAT
http://erlang.org/pipermail/erlang-questions/2017-Novembe...
mailing-listx_refsource_MLIST

EPSS Score

83% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.