Sign-up

ID

VAR-201503-0226


CVE

CVE-2015-2235


TITLE

SSL/TLS implementations accept export-grade RSA keys (FREAK attack)

Trust: 0.8

sources: CERT/CC: VU#243585

DESCRIPTION

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-1067. Reason: This candidate is a duplicate of CVE-2015-1067. Notes: All CVE users should reference CVE-2015-1067 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** Delete ** This case CVE-2015-1067 It was removed because it was found to be duplicated. CVE-2015-1067 Please refer to. Apple iOS of Secure Transport Is TLS In order not to properly limit state transitions, EXPORT_RSA A vulnerability exists in which cipher suite downgrade attacks are performed on ciphers. This case "FREAK" Vulnerability related to the problem. This vulnerability CVE-2015-0204 and CVE-2015-1637 Is a different vulnerability.Skillfully crafted by a third party TLS Through traffic EXPORT_RSA A cipher suite downgrade attack may be performed on the cipher. SSL/TLS Some implementations of export grade without intentional setting (512 Below bit ) of RSA Something accepts the key. Man-in-the-middle attacks against such software (man-in-the-middle attack) Is performed, the key used for encryption is decrypted, SSL/TLS The traffic content may be decrypted. this is" FREAK It is also called “attack”. Algorithm downgrade (CWE-757) CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') https://cwe.mitre.org/data/definitions/757.html Incorrect cipher strength (CWE-326) CWE-326: Inadequate Encryption Strength https://cwe.mitre.org/data/definitions/326.html SSL/TLS Some implementations of export grade without intentional setting (512 Below bit ) of RSA Something accepts the key. If a man-in-the-middle attack is performed on such software, it is guided to use a weak key in the negotiation at the start of communication, and as a result, encrypted information may be decrypted. The discoverer has released detailed information about this matter. FREAK: Factoring RSA Export Keys https://www.smacktls.com/#freakMan-in-the-middle attacks (man-in-the-middle attack) By SSL/TLS The contents of the communication may be decrypted. Apple iOS, Apple TV and Apple OS X are all products of Apple Inc. in the United States. Apple iOS is an operating system developed for mobile devices; Apple TV is a high-definition TV set-top box product; Apple OS X is a dedicated operating system developed for Mac computers. Apple iOS, Apple OS X and Apple TV are all products of Apple (Apple). Apple iOS is an operating system developed for mobile devices; Apple OS X is a dedicated operating system developed for Mac computers; Apple TV is a high-definition television set-top box product. CoreGraphics is an iOS built-in drawing framework. A security vulnerability exists in the Secure Transport of several Apple products. The vulnerability is caused by the program not properly restricting the transition of TLS state. The following products and versions are affected: Apple iOS 8.1.3 and earlier, Apple OS X 10.10.2 and earlier, Apple TV 7.0.3 and earlier

Trust: 3.15

sources: NVD: CVE-2015-2235 // CERT/CC: VU#243585 // JVNDB: JVNDB-2015-001671 // JVNDB: JVNDB-2015-001672 // VULHUB: VHN-80196

AFFECTED PRODUCTS

vendor:applemodel: - scope: - version: -

Trust: 0.8

vendor:googlemodel: - scope: - version: -

Trust: 0.8

vendor:microsoftmodel: - scope: - version: -

Trust: 0.8

vendor:necmodel: - scope: - version: -

Trust: 0.8

vendor:opensslmodel: - scope: - version: -

Trust: 0.8

vendor:operamodel: - scope: - version: -

Trust: 0.8

vendor:research in motion rimmodel: - scope: - version: -

Trust: 0.8

vendor:applemodel:mac os xscope:lteversion:10.10.2

Trust: 0.8

vendor:applemodel:tvscope:lteversion:7.0.3

Trust: 0.8

vendor:applemodel:iosscope:lteversion:8.1.3

Trust: 0.8

vendor:necmodel:capssuitescope:eqversion:v4 to v5.1

Trust: 0.8

vendor:necmodel:csviewscope:eqversion:/faq navigator

Trust: 0.8

vendor:necmodel:csviewscope:eqversion:/web questionnaire

Trust: 0.8

vendor:necmodel:enterprisedirectoryserverscope:eqversion:ver6.0 to ver8.0

Trust: 0.8

vendor:necmodel:enterpriseidentitymanagerscope:eqversion: -

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:/sg series intersecvm/sg v1.2

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:v3.0

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:v3.1

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:v4.0

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:/sg series sg3600lm/lg/lj v6.1

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:v6.2

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:v7.0

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:v7.1

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:v8.0

Trust: 0.8

vendor:necmodel:express5800scope:eqversion:/sg series univerge sg3000lg/lj

Trust: 0.8

vendor:necmodel:infocagescope:eqversion:security risk management v1.0.2 to v2.1.4

Trust: 0.8

vendor:necmodel:istoragescope:eqversion:a series

Trust: 0.8

vendor:necmodel:istoragescope:eqversion:d series

Trust: 0.8

vendor:necmodel:istoragescope:eqversion:e series

Trust: 0.8

vendor:necmodel:istoragescope:eqversion:hs series

Trust: 0.8

vendor:necmodel:istoragescope:eqversion:m series (nas including options )

Trust: 0.8

vendor:necmodel:istoragescope:eqversion:s series

Trust: 0.8

vendor:necmodel:secureware/pki application development kitscope:eqversion:ver3.0

Trust: 0.8

vendor:necmodel:secureware/pki application development kitscope:eqversion:ver3.01

Trust: 0.8

vendor:necmodel:secureware/pki application development kitscope:eqversion:ver3.02

Trust: 0.8

vendor:necmodel:secureware/pki application development kitscope:eqversion:ver3.1

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:enterprise edition v4.2 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:standard edition v4.2 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:standard-j edition v4.1 to v6.5

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:uddi registry v1.1 to v7.1

Trust: 0.8

vendor:necmodel:webotxscope:eqversion:web edition v4.1 to v6.5

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:enterprise edition v7.1

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:enterprise v8.2 to v9.2

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:express v8.2 to v9.2

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:foundation v8.2 to v8.5

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:standard edition v7.1

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:standard v8.2 to v9.2

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:standard-j edition v7.1 to v8.1

Trust: 0.8

vendor:necmodel:webotx application serverscope:eqversion:web edition v7.1 to v8.1

Trust: 0.8

vendor:necmodel:webotx enterprise service busscope:eqversion:v6.4 to v9.2

Trust: 0.8

vendor:necmodel:webotx portalscope:eqversion:v8.2 to v9.1

Trust: 0.8

vendor:necmodel:webotx sip application serverscope:eqversion:standard edition v7.1 to v8.1

Trust: 0.8

vendor:necmodel:websamscope:eqversion:application navigator v3.1.0.x to v4.1.0.x

Trust: 0.8

vendor:necmodel:websamscope:eqversion:jobcenter cl/web r13.1

Trust: 0.8

vendor:necmodel:websamscope:eqversion:jobcenter cl/web r13.2

Trust: 0.8

vendor:applemodel:mac os xscope:eqversion:10.10.2

Trust: 0.6

vendor:applemodel:iphone osscope:eqversion:8.1.3

Trust: 0.6

vendor:applemodel:tvscope:eqversion:7.0.3

Trust: 0.6

sources: CERT/CC: VU#243585 // JVNDB: JVNDB-2015-001671 // JVNDB: JVNDB-2015-001672 // CNNVD: CNNVD-201503-135

CVSS

SEVERITY

CVSSV2

CVSSV3

IPA: JVNDB-2015-001672
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201503-135
value: MEDIUM

Trust: 0.6

IPA: JVNDB-2015-001672
severity: HIGH
baseScore: 7.8
vectorString: AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

sources: JVNDB: JVNDB-2015-001672 // CNNVD: CNNVD-201503-135

PROBLEMTYPE DATA

problemtype:CWE-Other

Trust: 0.8

sources: JVNDB: JVNDB-2015-001672

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201503-135

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201503-135

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-001671

PATCH
title:Top Pageurl:http://www.apple.com/
Trust: 0.8
title:アライドテレシス株式会社からの情報url:http://jvn.jp/vu/JVNVU99125992/522154/index.html
Trust: 0.8
title:NV15-016url:http://jpn.nec.com/security-info/secinfo/nv15-016.html
Trust: 0.8
title:[08 Jan 2015]url:https://www.openssl.org/news/secadv_20150108.txt
Trust: 0.8
title:3046015url:https://technet.microsoft.com/ja-jp/library/security/3046015
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2015-001671 // 
            
            
            
            JVNDB: JVNDB-2015-001672

EXTERNAL IDS
db:NVDid:CVE-2015-2235
Trust: 2.5
db:CERT/CCid:VU#243585
Trust: 2.4
db:JVNid:JVNVU99125992
Trust: 1.6
db:JVNDBid:JVNDB-2015-001671
Trust: 0.8
db:JVNDBid:JVNDB-2015-001672
Trust: 0.8
db:CNNVDid:CNNVD-201503-135
Trust: 0.7
db:VULHUBid:VHN-80196
Trust: 0.1
sources:
            
            
            CERT/CC: VU#243585 // 
            
            
            
            VULHUB: VHN-80196 // 
            
            
            
            JVNDB: JVNDB-2015-001671 // 
            
            
            
            JVNDB: JVNDB-2015-001672 // 
            
            
            
            CNNVD: CNNVD-201503-135 // 
            
            
            
            NVD: CVE-2015-2235

REFERENCES
url:https://www.smacktls.com/#freak
Trust: 1.6
url:http://www.kb.cert.org/vuls/id/243585
Trust: 1.6
url:https://freakattack.com/
Trust: 1.4
url:http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/757.html
Trust: 0.8
url:http://cwe.mitre.org/data/definitions/326.html
Trust: 0.8
url:https://tools.ietf.org/html/rfc4346#appendix-f.1.1.2
Trust: 0.8
url:https://technet.microsoft.com/library/security/3046015.aspx
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2235
Trust: 0.8
url:http://jvn.jp/vu/jvnvu99125992/
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2235
Trust: 0.8
url:http://jvn.jp/vu/jvnvu99125992/index.html
Trust: 0.8
sources:
            
            
            CERT/CC: VU#243585 // 
            
            
            
            JVNDB: JVNDB-2015-001671 // 
            
            
            
            JVNDB: JVNDB-2015-001672 // 
            
            
            
            CNNVD: CNNVD-201503-135

SOURCES
db:CERT/CCid:VU#243585
db:VULHUBid:VHN-80196
db:JVNDBid:JVNDB-2015-001671
db:JVNDBid:JVNDB-2015-001672
db:CNNVDid:CNNVD-201503-135
db:NVDid:CVE-2015-2235

LAST UPDATE DATE
2024-08-14T12:14:37.442000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#243585date:2015-10-27T00:00:00
db:VULHUBid:VHN-80196date:2015-03-12T00:00:00
db:JVNDBid:JVNDB-2015-001671date:2015-03-10T00:00:00
db:JVNDBid:JVNDB-2015-001672date:2017-03-09T00:00:00
db:CNNVDid:CNNVD-201503-135date:2015-03-11T00:00:00
db:NVDid:CVE-2015-2235date:2023-11-07T02:25:11.603

SOURCES RELEASE DATE
db:CERT/CCid:VU#243585date:2015-03-06T00:00:00
db:VULHUBid:VHN-80196date:2015-03-07T00:00:00
db:JVNDBid:JVNDB-2015-001671date:2015-03-10T00:00:00
db:JVNDBid:JVNDB-2015-001672date:2015-03-10T00:00:00
db:CNNVDid:CNNVD-201503-135date:2015-03-09T00:00:00
db:NVDid:CVE-2015-2235date:2015-03-07T02:59:10.053