Bug 964843 - (CVE-2016-2217) VUL-0: CVE-2016-2217: socat: DH p parameter not prime
(CVE-2016-2217)
VUL-0: CVE-2016-2217: socat: DH p parameter not prime
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P5 - None : Major
: ---
Assigned To: Marcus Meissner
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-03 08:45 UTC by Andreas Stieger
Modified: 2016-02-05 09:54 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-02-03 08:45:35 UTC
From http://www.openwall.com/lists/oss-security/2016/02/01/4

Overview
  In the OpenSSL address implementation the hard coded 1024 bit DH p
  parameter was not prime. The effective cryptographic strength of a key
  exchange using these parameters was weaker than the one one could get by
  using a prime p. Moreover, since there is no indication of how these
  parameters were chosen, the existence of a trapdoor that makes possible
  for an eavesdropper to recover the shared secret from a key exchange that
  uses them cannot be ruled out.
  A new prime modulus p parameter has been generated by Socat developer
  using OpenSSL dhparam command.
  In addition the new parameter is 2048 bit long.

Vulnerability Ids:
  Socat security issue 7
  MSVR-1499

Severity: Unknown

Affected versions: 1.7.3.0, 2.0.0-b8

Not affected or corrected versions
  1.0.0.0 - 1.7.2.4
  1.7.3.1 and later
  2.0.0-b1 - 2.0.0-b7
  2.0.0-b9 and later

Workaround
  Disable DH ciphers

Acknowledgments
  Santiago Zanella-Beguelin and Microsoft Vulnerability Research (MSVR).


Already submitted for openSUSE:Factory:
https://build.opensuse.org/request/show/357374

Probably somewhat related to logjam changes - bug 938913
Comment 1 Andreas Stieger 2016-02-03 08:53:38 UTC
SLE 12: socat 1.7.2.4 no affected
openSUSE not affected
only Tumbleweed affected
Comment 2 Alexander Bergmann 2016-02-05 09:54:02 UTC
CVE-2016-2217 was assigned to this issue.