VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-vz46-gfhm-aaap

Essentials
Severities (70)
References (114)
Severity details (14)
Exploits (1)
EPSS
History (0)

Vulnerability ID	VCID-vz46-gfhm-aaap
Aliases	CVE-2016-0800 VC-OPENSSL-20160301-CVE-2016-0800
Summary	A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). Recovering one session key requires the attacker to perform approximately 2^50 computation, as well as thousands of connections to the affected server. A more efficient variant of the DROWN attack exists against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on 19/Mar/2015 (see CVE-2016-0703 below). Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS servers, if they've not done so already. Disabling all SSLv2 ciphers is also sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and 1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol, and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2 ciphers are nominally disabled, because malicious clients can force the use of SSLv2 with EXPORT ciphers. OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN: SSLv2 is now by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. In addition, weak ciphers in SSLv3 and up are now disabled in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength ciphers.
Status	Published
Exploitability	2.0
Weighted Severity	9.0
Risk	10.0
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-310	Cryptographic Issues
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor

System	Score	Found at
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0301
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0302
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0303
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0304
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0305
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0306
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0372
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0379
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0445
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0446
rhas	Important	https://access.redhat.com/errata/RHSA-2016:0490
rhas	Critical	https://access.redhat.com/errata/RHSA-2016:1519
epss	0.88377	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.88377	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.8956	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.8956	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89906	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.89994	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.9003	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.9003	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.9003	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.9003	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.9003	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.90629	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.93499	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.93499	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.94344	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
epss	0.95243	https://api.first.org/data/v1/epss?cve=CVE-2016-0800
rhbs	high	https://bugzilla.redhat.com/show_bug.cgi?id=1310593
cvssv2	4.3	https://nvd.nist.gov/vuln/detail/CVE-2016-0800
cvssv3	5.9	https://nvd.nist.gov/vuln/detail/CVE-2016-0800
generic_textual	Moderate	https://www.openssl.org/news/secadv/20160301.txt
cvssv3.1	9.8	http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
generic_textual	CRITICAL	http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
cvssv3.1	7.5	http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
generic_textual	HIGH	http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
cvssv3.1	9.8	http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
generic_textual	CRITICAL	http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
cvssv3.1	8.8	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
generic_textual	HIGH	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
cvssv3.1	6.5	http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
generic_textual	HIGH	http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
generic_textual	Low	http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html

Reference id	Reference type	URL
		http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10722
		http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00001.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00002.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00003.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00004.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00005.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00006.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00007.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00009.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00010.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00012.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00017.html
		http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00025.html
		http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00038.html
		http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00015.html
		http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00017.html
		http://marc.info/?l=bugtraq&m=145983526810210&w=2
		http://marc.info/?l=bugtraq&m=146108058503441&w=2
		http://marc.info/?l=bugtraq&m=146133665209436&w=2
		http://rhn.redhat.com/errata/RHSA-2016-1519.html
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-0800.json
		https://access.redhat.com/security/vulnerabilities/drown
		https://api.first.org/data/v1/epss?cve=CVE-2016-0800
		https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
		https://cert-portal.siemens.com/productcert/pdf/ssa-623229.pdf
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
		https://drownattack.com
		https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03726en_us
		https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03741en_us
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05068681
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05073516
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05086877
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05096953
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05141441
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05143554
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150800
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157667
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05176765
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05307589
		https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05386804
		https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes
		https://ics-cert.us-cert.gov/advisories/ICSA-16-103-03
		https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40168
		https://kc.mcafee.com/corporate/index?page=content&id=SB10154
		https://security.FreeBSD.org/advisories/FreeBSD-SA-16:12.openssl.asc
		https://security.gentoo.org/glsa/201603-15
		https://security.netapp.com/advisory/ntap-20160301-0001/
		http://support.citrix.com/article/CTX208403
		https://www.arista.com/en/support/advisories-notices/security-advisories/1260-security-advisory-18
		https://www.kb.cert.org/vuls/id/583776
		https://www.openssl.org/news/secadv/20160301.txt
		http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160302-openssl
		http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20160330-01-openssl-en
		http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
		http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
		http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
		http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
		http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
		http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
		http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
		http://www.securityfocus.com/bid/83733
		http://www.securityfocus.com/bid/91787
		http://www.securitytracker.com/id/1035133
		http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-623229.pdf
1310593		https://bugzilla.redhat.com/show_bug.cgi?id=1310593
cpe:2.3:a:openssl:openssl:1.0.1:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1:::::::*
cpe:2.3:a:openssl:openssl:1.0.1a:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1a:::::::*
cpe:2.3:a:openssl:openssl:1.0.1b:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1b:::::::*
cpe:2.3:a:openssl:openssl:1.0.1:beta1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1:beta1::::::
cpe:2.3:a:openssl:openssl:1.0.1:beta2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1:beta2::::::
cpe:2.3:a:openssl:openssl:1.0.1:beta3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1:beta3::::::
cpe:2.3:a:openssl:openssl:1.0.1c:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1c:::::::*
cpe:2.3:a:openssl:openssl:1.0.1d:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1d:::::::*
cpe:2.3:a:openssl:openssl:1.0.1e:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1e:::::::*
cpe:2.3:a:openssl:openssl:1.0.1f:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1f:::::::*
cpe:2.3:a:openssl:openssl:1.0.1g:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1g:::::::*
cpe:2.3:a:openssl:openssl:1.0.1h:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1h:::::::*
cpe:2.3:a:openssl:openssl:1.0.1i:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1i:::::::*
cpe:2.3:a:openssl:openssl:1.0.1j:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1j:::::::*
cpe:2.3:a:openssl:openssl:1.0.1k:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1k:::::::*
cpe:2.3:a:openssl:openssl:1.0.1l:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1l:::::::*
cpe:2.3:a:openssl:openssl:1.0.1m:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1m:::::::*
cpe:2.3:a:openssl:openssl:1.0.1n:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1n:::::::*
cpe:2.3:a:openssl:openssl:1.0.1o:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1o:::::::*
cpe:2.3:a:openssl:openssl:1.0.1p:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1p:::::::*
cpe:2.3:a:openssl:openssl:1.0.1q:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1q:::::::*
cpe:2.3:a:openssl:openssl:1.0.1r:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.1r:::::::*
cpe:2.3:a:openssl:openssl:1.0.2:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:::::::*
cpe:2.3:a:openssl:openssl:1.0.2a:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2a:::::::*
cpe:2.3:a:openssl:openssl:1.0.2b:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2b:::::::*
cpe:2.3:a:openssl:openssl:1.0.2:beta1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:beta1::::::
cpe:2.3:a:openssl:openssl:1.0.2:beta2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:beta2::::::
cpe:2.3:a:openssl:openssl:1.0.2:beta3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:beta3::::::
cpe:2.3:a:openssl:openssl:1.0.2c:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2c:::::::*
cpe:2.3:a:openssl:openssl:1.0.2d:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2d:::::::*
cpe:2.3:a:openssl:openssl:1.0.2e:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2e:::::::*
cpe:2.3:a:openssl:openssl:1.0.2f:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2f:::::::*
cpe:2.3:a:pulsesecure:client:-:::::iphone_os::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:pulsesecure:client:-:::::iphone_os::
cpe:2.3:a:pulsesecure:steel_belted_radius:-:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:pulsesecure:steel_belted_radius:-:::::::*
CVE-2016-0800		https://nvd.nist.gov/vuln/detail/CVE-2016-0800
RHSA-2016:0301		https://access.redhat.com/errata/RHSA-2016:0301
RHSA-2016:0302		https://access.redhat.com/errata/RHSA-2016:0302
RHSA-2016:0303		https://access.redhat.com/errata/RHSA-2016:0303
RHSA-2016:0304		https://access.redhat.com/errata/RHSA-2016:0304
RHSA-2016:0305		https://access.redhat.com/errata/RHSA-2016:0305
RHSA-2016:0306		https://access.redhat.com/errata/RHSA-2016:0306
RHSA-2016:0372		https://access.redhat.com/errata/RHSA-2016:0372
RHSA-2016:0379		https://access.redhat.com/errata/RHSA-2016:0379
RHSA-2016:0445		https://access.redhat.com/errata/RHSA-2016:0445
RHSA-2016:0446		https://access.redhat.com/errata/RHSA-2016:0446
RHSA-2016:0490		https://access.redhat.com/errata/RHSA-2016:0490
RHSA-2016:1519		https://access.redhat.com/errata/RHSA-2016:1519

Data source	Metasploit
Description	Check if a server supports a given version of SSL/TLS and cipher suites. The certificate is stored in loot, and any known vulnerabilities against that SSL version and cipher suite combination are checked. These checks include POODLE, deprecated protocols, expired/not valid certs, low key strength, null cipher suites, certificates signed with MD5, DROWN, RC4 ciphers, exportable ciphers, LOGJAM, and BEAST.
Note	{}
Ransomware campaign use	Unknown
Source publication date	Oct. 14, 2014
Source URL	https://github.com/rapid7/metasploit-framework/tree/master/modules/auxiliary/scanner/ssl/ssl_version.rb

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-0800

Exploitability (E)	Access Vector (AV)	Access Complexity (AC)	Authentication (Au)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
high functional unproven proof_of_concept not_defined	local adjacent_network network	high medium low	multiple single none	none partial complete	none partial complete	none partial complete

Exploitability (E)

Access Vector (AV)

Access Complexity (AC)

Authentication (Au)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

partial

complete

none

partial

complete

none

partial

complete

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2016-0800

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.9946
EPSS Score	0.88377
Published At	May 2, 2025, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.