Search for vulnerabilities
Vulnerability details: VCID-w299-9hqt-aaan
Vulnerability ID VCID-w299-9hqt-aaan
Aliases CVE-2015-3193
VC-OPENSSL-20151203-CVE-2015-3193
Summary There is a carry propagating bug in the x86_64 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example this can occur by default in OpenSSL DHE based SSL/TLS ciphersuites.
Status Published
Exploitability 0.5
Weighted Severity 7.0
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
generic_textual Low http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3193.html
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.00453 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.01308 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.01308 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.01308 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.01308 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.20214 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.21812 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.21812 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.21812 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.21812 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.21812 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
epss 0.32037 https://api.first.org/data/v1/epss?cve=CVE-2015-3193
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193
cvssv2 2.6 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2015-3193
cvssv3 7.5 https://nvd.nist.gov/vuln/detail/CVE-2015-3193
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2015-3193
generic_textual Low https://ubuntu.com/security/notices/USN-2830-1
generic_textual Low https://www.openssl.org/news/secadv/20151203.txt
cvssv3.1 9.8 http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
generic_textual CRITICAL http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
cvssv3.1 9.8 http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
generic_textual CRITICAL http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
cvssv3.1 7.5 http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
generic_textual HIGH http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Reference id Reference type URL
http://fortiguard.com/advisory/openssl-advisory-december-2015
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10761
http://openssl.org/news/secadv/20151203.txt
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3193.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3193.json
https://api.first.org/data/v1/epss?cve=CVE-2015-3193
https://blog.fuzzing-project.org/31-Fuzzing-Math-miscalculations-in-OpenSSLs-BN_mod_exp-CVE-2015-3193.html
https://bugzilla.redhat.com/show_bug.cgi?id=1288317
https://cert-portal.siemens.com/productcert/pdf/ssa-412672.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3193
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=d73cc256c8e256c32ed959456101b73ba9842f72
https://git.openssl.org/?p=openssl.git;a=commit;h=d73cc256c8e256c32ed959456101b73ba9842f72
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05398322
https://kb.isc.org/article/AA-01438
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA40100
https://ubuntu.com/security/notices/USN-2830-1
https://www.openssl.org/news/secadv/20151203.txt
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151204-openssl
http://www.fortiguard.com/advisory/openssl-advisory-december-2015
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securityfocus.com/bid/78705
http://www.securityfocus.com/bid/91787
http://www.securitytracker.com/id/1034294
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.539966
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.754583
http://www.ubuntu.com/usn/USN-2830-1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2a:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2b:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2c:*:*:*:*:*:*:*
cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl:1.0.2d:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
CVE-2015-3193 https://nvd.nist.gov/vuln/detail/CVE-2015-3193
USN-2830-1 https://usn.ubuntu.com/2830-1/
No exploits are available.
Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2015-3193
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2015-3193
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2015-3193
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.75684
EPSS Score 0.00453
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.