CVE-2018-0733: Incorrect CRYPTO_memcmp on HP-UX PA-RISC
First published: Tue Mar 27 2018(Updated: )
Because of an implementation bug the PA-RISC CRYPTO_memcmp function is effectively reduced to only comparing the least significant bit of each byte. This allows an attacker to forge messages that would be considered as authenticated in an amount of tries lower than that guaranteed by the security claims of the scheme. The module can only be compiled by the HP-UX assembler, so that only HP-UX PA-RISC targets are affected. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g).
Credit: openssl-security@openssl.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenSSL libcrypto | >=1.1.0<=1.1.0g |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/103517
- http://www.securitytracker.com/id/1040576
- https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f
- https://security.gentoo.org/glsa/201811-21
- https://security.netapp.com/advisory/ntap-20180330-0002/
- https://www.openssl.org/news/secadv/20180327.txt
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.tenable.com/security/tns-2018-04
- https://www.tenable.com/security/tns-2018-06
- https://www.tenable.com/security/tns-2018-07
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=56d5a4bfcaf37fa420aef2bb881aa55e61cf5f2f
Frequently Asked Questions
What is the severity of CVE-2018-0733?
CVE-2018-0733 is considered a high severity vulnerability due to the potential for message forgery.
How do I fix CVE-2018-0733?
To fix CVE-2018-0733, upgrade to OpenSSL version 1.1.0h or later, as it addresses this implementation bug.
What systems are affected by CVE-2018-0733?
CVE-2018-0733 affects OpenSSL versions prior to 1.1.0h, particularly in the libcrypto component.
Can CVE-2018-0733 lead to unauthorized access?
Yes, CVE-2018-0733 can allow attackers to forge authenticated messages, potentially leading to unauthorized access.
When was CVE-2018-0733 disclosed?
CVE-2018-0733 was disclosed in July 2018, as part of a broader security advisory by OpenSSL.
- agent/type
- agent/softwarecombine
- agent/severity
- agent/title
- agent/remedy
- agent/author
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/openssl
- canonical/openssl libcrypto
- version/openssl libcrypto/1.1.0
- version/openssl libcrypto/1.1.0g