CVE-2020-1968

LOW

OpenSSL 1.0.2-1.0.2v - Pre-Master Secret Disclosure via Raccoon Attack

Title source: llm
STIX 2.1

Description

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).

References (10)

Core 10
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/09/msg00016.html
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202210-02
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4504-1/

Scores

CVSS v3 3.7
EPSS 0.0104
EPSS Percentile 77.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-203
Status published
Products (19)
canonical/ubuntu_linux 16.04
canonical/ubuntu_linux 18.04
debian/debian_linux 9.0
fujitsu/m10-1_firmware < xcp2400
fujitsu/m10-4_firmware < xcp2400
fujitsu/m10-4s_firmware < xcp2400
fujitsu/m12-1_firmware < xcp2400
fujitsu/m12-2_firmware < xcp2400
fujitsu/m12-2s_firmware < xcp2400
openssl/openssl 1.0.2 - 1.0.2v
... and 9 more
Published Sep 09, 2020
Tracked Since Feb 18, 2026