CVE-2017-3737: Medium severity IBM Security Verify Governance vulnerability
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSLdohandshake(), SSLaccept() and SSLconnect()), however due to a bug it does not work correctly if SSLread() or SSLwrite() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSLread()/SSLwrite() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer.
In order to exploit this issue an application bug would have to be present that resulted in a call to SSLread()/SSLwrite() being issued after having already received a fatal error.
External References:
https://www.openssl.org/news/secadv/20171207.txt
Other sources
OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an "error state" mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSLdohandshake(), SSLaccept() and SSLconnect()), however due to a bug it does not work correctly if SSLread() or SSLwrite() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSLread()/SSLwrite() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSLread()/SSLwrite() being issued after having already received a fatal error. OpenSSL version 1.0.2b-1.0.2m are affected. Fixed in OpenSSL 1.0.2n. OpenSSL 1.1.0 is not affected.
OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the \"error state\" mechanism when directly calling SSLread() or SSLwrite() for an SSL object after receiving a fatal error. An attacker could exploit this vulnerability to bypass the decryption or encryption process and perform unauthorized actions.
— IBM
Affected Software
Event History
Frequently Asked Questions
What is CVE-2017-3737?
CVE-2017-3737 is a vulnerability in OpenSSL that allows a remote attacker to bypass security restrictions.
Which versions of OpenSSL are affected by CVE-2017-3737?
OpenSSL 1.0.2b and later versions including 1.0.2, 1.1.1n-0+deb10u3, 1.1.1n-0+deb10u6, 1.1.1w-0+deb11u1, 1.1.1n-0+deb11u5, 3.0.11-1~deb12u1, and 3.0.11-1 are affected.
How severe is CVE-2017-3737?
CVE-2017-3737 has a severity rating of 5.9 (medium).
What is the CWE ID of CVE-2017-3737?
The CWE ID of CVE-2017-3737 is CWE-125 and CWE-787.
Where can I find more information about CVE-2017-3737?
You can find more information about CVE-2017-3737 at the following references: [Link 1](https://www.openssl.org/news/secadv/20171207.txt), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1523513), [Link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1523511).