CVE-2017-3736: Infoleak

Published Nov 2, 2017
·
Updated

Last updated 24 July 2024

Other sources

OpenSSL could allow a remote attacker to obtain sensitive information, caused by a carry propagation flaw in the x8664 Montgomery squaring function bnsqrx8xinternal(). An attacker with online access to an unpatched system could exploit this vulnerability to obtain information about the private key.

IBM

There is a carry propagating bug in the x8664 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.

There is a carry propagating bug in the x8664 Montgomery squaring procedure. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients.

This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.

Note: This issue is very similar to CVE-2017-3732 and CVE-2015-3193 but must be treated as a separate problem.

External References:

https://www.openssl.org/news/secadv/20171102.txt

Red Hat

Affected Software

23 affected componentsFixes available
redhat/jbcs-httpd24-apache-commons-daemon<0:1.1.0-1.redhat_2.1.jbcs.el6
0:1.1.0-1.redhat_2.1.jbcs.el6
redhat/jbcs-httpd24-apache-commons-daemon-jsvc<1:1.1.0-1.redhat_2.jbcs.el6
1:1.1.0-1.redhat_2.jbcs.el6
redhat/jbcs-httpd24-apr<0:1.6.3-14.jbcs.el6
0:1.6.3-14.jbcs.el6
redhat/jbcs-httpd24-apr-util<0:1.6.1-9.jbcs.el6
0:1.6.1-9.jbcs.el6
redhat/jbcs-httpd24-httpd<0:2.4.29-17.jbcs.el6
0:2.4.29-17.jbcs.el6
redhat/jbcs-httpd24-nghttp2<0:1.29.0-8.jbcs.el6
0:1.29.0-8.jbcs.el6
redhat/jbcs-httpd24-openssl<1:1.0.2n-11.jbcs.el6
1:1.0.2n-11.jbcs.el6
redhat/jbcs-httpd24-apache-commons-daemon<0:1.1.0-1.redhat_2.1.jbcs.el7
0:1.1.0-1.redhat_2.1.jbcs.el7
redhat/jbcs-httpd24-apache-commons-daemon-jsvc<1:1.1.0-1.redhat_2.jbcs.el7
1:1.1.0-1.redhat_2.jbcs.el7
redhat/jbcs-httpd24-apr<0:1.6.3-14.jbcs.el7
0:1.6.3-14.jbcs.el7
redhat/jbcs-httpd24-apr-util<0:1.6.1-9.jbcs.el7
0:1.6.1-9.jbcs.el7
redhat/jbcs-httpd24-httpd<0:2.4.29-17.jbcs.el7
0:2.4.29-17.jbcs.el7
redhat/jbcs-httpd24-nghttp2<0:1.29.0-8.jbcs.el7
0:1.29.0-8.jbcs.el7
redhat/jbcs-httpd24-openssl<1:1.0.2n-11.jbcs.el7
1:1.0.2n-11.jbcs.el7
redhat/java<1.8.0-ibm-1:1.8.0.5.20-1jpp.1.el6_10
1.8.0-ibm-1:1.8.0.5.20-1jpp.1.el6_10
redhat/openssl<1:1.0.2k-12.el7
1:1.0.2k-12.el7
redhat/java<1.8.0-ibm-1:1.8.0.5.20-1jpp.1.el7
1.8.0-ibm-1:1.8.0.5.20-1jpp.1.el7
redhat/openssl<1.1.0
1.1.0
redhat/openssl<1.0.2
1.0.2
debian/openssl
1.1.1w-0+deb11u11.1.1n-0+deb11u53.0.14-1~deb12u13.0.14-1~deb12u23.3.2-1
OpenSSL OpenSSL>=1.0.2<1.0.2m
OpenSSL OpenSSL>=1.1.0<1.1.0g
IBM Security Verify Governance<=10.0

Remediation

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Patch Available

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Event History

Nov 2, 2017
CVE Published
12:00 AM
CVE Published
via MITRE·05:00 PM
Data Sourced
via MITRE·05:00 PM
DescriptionWeakness
Nov 3, 2017
Data Sourced
via Red Hat·09:20 AM
DescriptionSeverityAffected Software
Jan 11, 2024
Data Sourced
via Launchpad·10:37 PM
Description
Sep 14, 2024
Data Sourced
via Ubuntu·03:50 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2017-3736?

The severity of CVE-2017-3736 is medium with a severity value of 6.5.

2

How does CVE-2017-3736 affect OpenSSL?

CVE-2017-3736 affects OpenSSL versions before 1.0.2m and 1.1.0 before 1.1.0g on the x86_64 architecture.

3

Are RSA and DSA algorithms affected by CVE-2017-3736?

No, RSA and DSA algorithms are not affected by CVE-2017-3736.

4

Is it difficult to perform attacks against RSA and DSA as a result of CVE-2017-3736?

Yes, attacks against RSA and DSA as a result of CVE-2017-3736 are believed to be very difficult to perform and unlikely.

5

How can I fix CVE-2017-3736?

To fix CVE-2017-3736, update OpenSSL to version 1.0.2m or higher, or version 1.1.0g or higher.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203