security ssl

Published on December 12th, 2017 📆 | 3229 Views ⚑


CVE-2017-3737: OpenSSL Security Bypass Vulnerability

Recently, OpenSSL Security Bypass Vulnerability was found by a security researcher. An attacker who successfully exploited this vulnerability could circumvent security restrictions and perform unauthorized operations, which may help to launch further attacks.

Affected version

OpenSSL Project OpenSSL 1.0.2
OpenSSL Project OpenSSL 1.0.2m
OpenSSL Project OpenSSL 1.0.2l
OpenSSL Project OpenSSL 1.0.2k
OpenSSL Project OpenSSL 1.0.2j
OpenSSL Project OpenSSL 1.0.2i
OpenSSL Project OpenSSL 1.0.2h
OpenSSL Project OpenSSL 1.0.2g
OpenSSL Project OpenSSL 1.0.2f
OpenSSL Project OpenSSL 1.0.2e
OpenSSL Project OpenSSL 1.0.2d
OpenSSL Project OpenSSL 1.0.2c
OpenSSL Project OpenSSL 1.0.2b
OpenSSL Project OpenSSL 1.0.2a


Unafftected version

OpenSSL Project OpenSSL 1.0.2n

Vulnerability number




Vulnerability description

OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an “error state” mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake. This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly. In that scenario, if the handshake fails then a fatal error will be returned in the initial function call. If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer. In order to exploit this issue an application bug would have to be present that resulted in a call to SSL_read()/SSL_write() being issued after having already received a fatal error.

This issue was reported to OpenSSL on 10th November 2017 by David Benjamin (Google). The fix was proposed by David Benjamin and implemented by Matt Caswell of the OpenSSL development team.


Update to OpenSSL Project OpenSSL 1.0.2n.

Reference: openssl

Download WordPress Themes
Download WordPress Themes
Free Download WordPress Themes
Download Premium WordPress Themes Free
free download udemy paid course

Leave a Reply ✍