OpenSSL SSL_shutdown padding oracle

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2019-001 CVE-2019-1559 02/27/2019 medium v1

Vulnerability details

The behaviour of an application who calls SSL_shutdown function can be used as a padding oracle.

Its exploitation could allow an attacker to decrypt encrypted traffic.

 

Impacted products

ProductsSeverityDetail
Stormshield Network Security medium The SNS products embed a vulnerable version of the OpenSSL library.
Stormshield Endpoint Security medium The SES product embed a vulnerable version of the OpenSSL library.

Revisions

Version Date Description
v1  04/01/2019 Initial release

 



Stormshield Network Security

CVSS v2 Overall Score: 4.4      

Analysis

Impacted version

This vulnerability could be exploited upon the HTTPS server used in SNS HMI to retrieve the administrator password.

  • SNS 3.0.0 to 3.7.2
  • SNS 3.8.0
  • SNS 2.12.0

 

Workaround solution

Solution

Disabling the SNS HMI will prevent an attacker from exploiting this vulnerability.

The 3.7.3, 3.8.1 and 2.14 update fix this vulnerability.

 



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Adjacent Network Medium None Complete Complete Complete
CVSS Base score: 7.9 CVSS Vector: (AV:A/AC:M/Au:N/C:C/I:C/A:C)
Exploitability Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 5.8 CVSS Vector: (AV:A/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
None Medium [26-75%]
CVSS Environmental score: 4.4 CVSS Vector: (AV:A/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C/CDP:N/TD:M/CR:ND/IR:ND/AR:ND)


Stormshield Endpoint Security

CVSS v2 Overall Score: 5.3      

Analysis

Impacted version

The successful exploitation of this vulnerability could allow an attacker already present on the local network to decode traffic between SES servers and agents. This could possibly be used to retrieve the security policies (and logs generated by agents) and could be used to further conduct a successful attack on SES agents bypassing the security policies in place.

This vulnerability could also be used to decrypt traffic between SES servers and administration consoles. This could possibly be used to retrieve the security policies and the SES server configurations, including SES server database connection password. This could be used to further alter the SES database contents if the database is reachable by the attacker.

  • SES 6.0.30 and 7.2.24

Workaround solution

Solution

In order to avoid database corruption, consider adding firewall rules on SES database servers to prevent connection from unknown entities. Only SES servers and administration consoles should be allowed to connect to the SES database servers.

The 7.2.25 update fixes this vulnerability.

The 6.0.31 update fixes this vulnerability.



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Adjacent Network Medium None Partial None None
CVSS Base score: 2.9 CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Remediation Level Report Confidence
Unproven that exploit exists Official fix Confirmed
CVSS Temporal score: 2.1 CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
Medium-High High [76-100%]
CVSS Environmental score: 5.3 CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:ND/IR:ND/AR:ND)