← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:112119 · Disclosed 2018-08-14

OpenSSL 1

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a broken front door and more a client tripping over a malicious handshake while a neighbor listens through the wall

Tenable plugin 112119 bundles two OpenSSL issues fixed in 1.0.2p on 2018-08-14. CVE-2018-0732 affects 1.0.2 through 1.0.2o and lets a malicious TLS server send an oversized DH parameter so the client burns CPU and appears hung during the handshake. CVE-2018-0737 affects 1.0.2b through 1.0.2o and is a cache-timing side channel during RSA key generation; the attacker needs sufficient local/co-resident access while the victim is generating a key.

Tenable's MEDIUM label is generous for enterprise prioritization. In the real world this is not an internet-scale server compromise: one path is availability-only and client-side, the other is local side-channel access during a relatively infrequent operation. If you still run OpenSSL 1.0.2, the bigger problem is that the branch has been out of public support since 2020-01-01; that lifecycle debt matters more than these two specific bugs.

"Old OpenSSL, but not old-school emergency: this is mostly client-side DoS and niche local keygen leakage."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an old 1.0.2 footprint

The attacker needs a target using an OpenSSL build older than 1.0.2p, or a distro package missing the backport. Most scanner hits here are version-based only; Tenable itself says this plugin relies on self-reported versioning rather than live exploit validation.
Conditions required:
  • Target has OpenSSL in the vulnerable 1.0.2 range
  • Scanner can see package or binary version
  • No distro backport already neutralized the bug
Where this breaks in practice:
  • Debian, Ubuntu, and other vendors backported fixes without changing the upstream-looking version string semantics
  • A scanner finding does not prove either exploit path is actually reachable in that workload
Detection/coverage: High coverage for inventory scanners like Nessus, but mostly version-only detection; confirm against package provenance and backports.
STEP 02

Weaponize the client-side DoS with a malicious TLS endpoint

For CVE-2018-0732, the attacker operates a hostile TLS server and presents a very large DH parameter during a DHE handshake. Practical tooling would be a custom OpenSSL s_server, TLS-Attacker, or patched handshake harness rather than a mainstream exploit kit. The victim must be the TLS client, not the server.
Conditions required:
  • Victim initiates outbound TLS to an attacker-controlled or attacker-in-the-middle server
  • Handshake negotiates a DH(E)-based ciphersuite
  • Vulnerable client OpenSSL build is in use
Where this breaks in practice:
  • This does not hit passive internet-facing servers waiting for inbound sessions
  • Modern estates often prefer ECDHE over classic DHE, shrinking the reachable population
  • Impact is typically a hung client process or stalled session, not code execution
Detection/coverage: Network IDS may log abnormal TLS handshake parameters, but most vuln scanners do not emulate this path.
STEP 03

Turn CPU burn into limited operational impact

If the client accepts the malicious handshake, it spends excessive time computing against the oversized prime and can appear frozen until the operation completes. In practice this is an availability nuisance against the calling process, job, or session, not a broad server takeover.
Conditions required:
  • Target process cannot timeout or kill the handshake fast enough
  • Business workflow depends on the affected client action succeeding
Where this breaks in practice:
  • Connection timeouts, worker isolation, and retry logic often cap the blast radius
  • Most enterprises can absorb a failed outbound connection far more easily than a remotely owned server
Detection/coverage: Look for TLS client timeouts, sudden CPU spikes in client processes, and repeated failures toward the same remote endpoint.
STEP 04

Exploit RSA key generation side-channel locally

For CVE-2018-0737, the attacker needs side-channel visibility during RSA key generation and uses techniques such as Flush+Reload or Prime+Probe, as described in the academic work that triggered the advisory. This is not a drive-by remote exploit; it assumes co-residency or equivalent local observation at the moment keys are generated.
Conditions required:
  • Attacker has local or co-resident execution on the same host or hardware domain
  • Victim generates an RSA key while under observation
  • Microarchitectural side-channel conditions are favorable
Where this breaks in practice:
  • Requires a prior compromise stage or shared-host foothold
  • Key generation is usually infrequent, so the attacker has to catch the right moment
  • EDR, virtualization boundaries, and reduced local access make this path brittle in managed enterprise estates
Detection/coverage: Standard network scanners will not see this. Detection is mostly indirect: local telemetry, suspicious co-tenant activity, or anomalous key-generation workflows.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo current KEV evidence. I found no listing for CVE-2018-0732 or CVE-2018-0737 in CISA's current KEV catalog, and no strong public evidence of broad active exploitation campaigns.
Proof-of-concept availabilityCVE-2018-0732 is easy to reproduce with a custom malicious TLS server, but I found no mainstream weaponized kit. CVE-2018-0737 is backed by an academic side-channel paper rather than commodity offensive tooling.
EPSSTreat EPSS as noisy here. Public indexed mirrors currently surface inconsistent values: search snippets show CVE-2018-0732 from roughly 8.95% to 78.38% and CVE-2018-0737 around 1.03%; that mismatch reinforces why the friction audit matters more than a raw score.
KEV status and datesNot KEV-listed as checked against CISA's current catalog URL. No KEV add date, no federal emergency patch signal.
CVSS reality checkNVD scores CVE-2018-0732 at 7.5 HIGH (AV:N/AC:L/.../A:H) and CVE-2018-0737 at 5.9 MEDIUM. Tenable uses the 5.9 MEDIUM baseline from CVE-2018-0737, but both scores overstate enterprise urgency because one path is client-side DoS and the other is local keygen side-channel.
Affected versionsCVE-2018-0732: OpenSSL 1.0.2 to 1.0.2o. CVE-2018-0737: OpenSSL 1.0.2b to 1.0.2o. Plugin 112119 flags anything prior to 1.0.2p.
Fixed versions and backportsUpstream fix is 1.0.2p. Debian tracker shows openssl1.0 on stretch fixed in 1.0.2q-1~deb9u1; Ubuntu USN-3692-1 shows fixed backports such as 1.0.2n-1ubuntu5.1 for 18.04 LTS and 1.0.2g-1ubuntu4.13 for 16.04 LTS.
Exposure/scanning dataBitSight search snippets show roughly 128k public observations tied to each CVE, but that is library footprint telemetry, not direct exploitability. These bugs are poor candidates for simple internet-wide reachability statements.
Disclosure timelineCVE-2018-0737 advisory published 2018-04-16; CVE-2018-0732 advisory published 2018-06-12; OpenSSL 1.0.2p release published 2018-08-14.
ResearchersCVE-2018-0732 was reported by Guido Vranken. CVE-2018-0737 was reported by Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia, and Luis Manuel Alvarez Tapia.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.2/10)

The decisive factor is attacker position: neither issue gives an unauthenticated remote path to owning a typical server. One requires the victim to act as a TLS client against a malicious endpoint, and the other requires local/co-resident side-channel access during RSA key generation.

HIGH Downgrade from Tenable MEDIUM to operational LOW
MEDIUM Backport-aware affected-package verification across mixed Linux fleets

Why this verdict

  • Requires the wrong side of the connection: CVE-2018-0732 is fundamentally a client-side handshake DoS, so it misses the large population of inbound-only TLS servers that defenders instinctively worry about.
  • Local/co-resident prerequisite crushes scale: CVE-2018-0737 assumes a prior foothold or shared-host visibility during RSA key generation, which is already post-initial-access and operationally narrow.
  • Blast radius is small even when triggered: the DoS path usually hangs a process or session, and the keygen path targets a specific key creation event rather than enabling durable remote code execution.

Why not higher?

This is not a pre-auth remote server compromise, not wormable, and not tied to strong public evidence of active exploitation. The strongest-looking score in the ecosystem comes from abstract CVSS modeling, but the real exploit chains are hemmed in by client role, local access, and timing requirements.

Why not lower?

It is still a real bug set in a foundational crypto library, and vulnerable 1.0.2 estates usually signal broader hygiene problems. If a host regularly makes outbound TLS connections to untrusted destinations, or if shared infrastructure generates sensitive RSA keys, the finding is not ignorable.

05 · Compensating Control

What to do — in priority order.

  1. Prefer package-vendor fixes over raw upstream version checks — Validate whether your distro already backported the fixes before you launch a noisy patch campaign. For a LOW finding there is no SLA; do this during normal triage and close false positives quickly so your team does not waste backlog capacity.
  2. Reduce or disable legacy DHE where feasible — For the client-side DoS path, shrinking DH(E) negotiation opportunities lowers exposure. Fold cipher-suite hardening into your next normal maintenance cycle; there is no emergency deadline here unless the application is a high-risk outbound client to untrusted servers.
  3. Constrain local multi-tenant execution — The RSA keygen side-channel matters far less on well-isolated hosts. Keep strong tenant isolation, limit shell access, and avoid generating long-lived keys on shared or weakly isolated systems as standard platform hygiene.
  4. Retire OpenSSL 1.0.2 strategically — Even though this plugin is LOW, the branch itself is EOL. Use your routine remediation program to migrate off 1.0.2; that platform-lifecycle work is more valuable than treating this plugin as a fire drill.
What doesn't work
  • A WAF does not help much here because this is not a normal HTTP request exploit; the relevant path is TLS handshake behavior below the web stack.
  • MFA is irrelevant because there is no authentication boundary involved in either exploit chain.
  • Perimeter port blocking alone misses the point: the more realistic CVE-2018-0732 case is an outbound client connecting to a malicious server.
06 · Verification

Crowdsourced verification payload.

Run this on the target Linux/macOS host that Tenable flagged, not from your scanner. Invoke it as bash verify_openssl_102p.sh; root is not required, but package-manager access helps it distinguish vulnerable upstream 1.0.2x builds from patched distro backports. The script exits 0 for PATCHED, 1 for VULNERABLE, and 2 for UNKNOWN.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify_openssl_102p.sh
# Checks whether the local host appears vulnerable to the OpenSSL 1.0.2 < 1.0.2p bundle
# (Tenable plugin 112119 / CVE-2018-0732 + CVE-2018-0737).
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u
PATH=/usr/sbin:/usr/bin:/sbin:/bin

say() { printf '%s\n' "$*"; }
patched() { say "PATCHED - $*"; exit 0; }
vuln() { say "VULNERABLE - $*"; exit 1; }
unknown() { say "UNKNOWN - $*"; exit 2; }

if ! command -v openssl >/dev/null 2>&1; then
  unknown "openssl binary not found in PATH"
fi

ver_line="$(openssl version 2>/dev/null || true)"
if [[ -z "$ver_line" ]]; then
  unknown "could not execute 'openssl version'"
fi

# Extract upstream-looking OpenSSL version token.
if [[ "$ver_line" =~ OpenSSL[[:space:]]([0-9]+\.[0-9]+\.[0-9]+[a-z]?) ]]; then
  upstream_ver="${BASH_REMATCH[1]}"
else
  unknown "could not parse OpenSSL version from: $ver_line"
fi

# Distro-backport checks first, because package versions may be fixed while reporting 1.0.2n/g/f etc.
if command -v dpkg-query >/dev/null 2>&1; then
  . /etc/os-release 2>/dev/null || true

  get_pkg_ver() {
    local p="$1"
    dpkg-query -W -f='${Version}' "$p" 2>/dev/null || true
  }

  # Ubuntu fixed versions from USN-3692-1 for this advisory set.
  if [[ "${ID:-}" == "ubuntu" ]]; then
    pkg_ver="$(get_pkg_ver libssl1.0.0)"
    if [[ -n "$pkg_ver" ]]; then
      case "${VERSION_ID:-}" in
        18.04)
          dpkg --compare-versions "$pkg_ver" ge 1.0.2n-1ubuntu5.1 && patched "Ubuntu 18.04 backport detected: libssl1.0.0 $pkg_ver"
          ;;
        17.10)
          dpkg --compare-versions "$pkg_ver" ge 1.0.2g-1ubuntu13.6 && patched "Ubuntu 17.10 backport detected: libssl1.0.0 $pkg_ver"
          ;;
        16.04)
          dpkg --compare-versions "$pkg_ver" ge 1.0.2g-1ubuntu4.13 && patched "Ubuntu 16.04 backport detected: libssl1.0.0 $pkg_ver"
          ;;
        14.04)
          dpkg --compare-versions "$pkg_ver" ge 1.0.1f-1ubuntu2.26 && patched "Ubuntu 14.04 backport detected: libssl1.0.0 $pkg_ver"
          ;;
      esac
    fi
  fi

  # Debian stretch openssl1.0 backport noted in Debian tracker.
  if [[ "${ID:-}" == "debian" || "${ID_LIKE:-}" == *debian* ]]; then
    pkg_ver="$(get_pkg_ver openssl1.0)"
    if [[ -n "$pkg_ver" ]]; then
      dpkg --compare-versions "$pkg_ver" ge 1.0.2q-1~deb9u1 && patched "Debian openssl1.0 backport detected: $pkg_ver"
    fi
  fi
fi

# Upstream-style version logic.
# Vulnerable ranges:
# - CVE-2018-0732: 1.0.2 .. 1.0.2o
# - CVE-2018-0737: 1.0.2b .. 1.0.2o
# Plugin logic: any OpenSSL prior to 1.0.2p.
case "$upstream_ver" in
  1.0.2|1.0.2[a-o])
    vuln "upstream OpenSSL version appears older than 1.0.2p ($upstream_ver)"
    ;;
  1.0.2[p-z]|1.0.2za|1.0.2zb|1.0.2zc|1.0.2zd|1.0.2ze|1.0.2zf|1.0.2zg|1.0.2zh|1.0.2zi|1.0.2zj|1.0.2zk|1.0.2zl|1.0.2zm)
    patched "upstream OpenSSL version is 1.0.2p or later ($upstream_ver)"
    ;;
  0.*|1.1.*|3.*|2.*)
    patched "host is not on the affected upstream 1.0.2 < 1.0.2p branch ($upstream_ver)"
    ;;
  *)
    unknown "unable to safely classify version '$upstream_ver'; check vendor backports/changelog manually"
    ;;
esac
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat tenable:112119 as a patch-emergency queue-jumper. First, verify whether each hit is a distro-backported false positive and identify any systems that still truly run upstream-style OpenSSL 1.0.2 this week; after that, fold confirmed cases into normal library hygiene and broader 1.0.2 retirement work. For a LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA — treat it as backlog hygiene — but if you find hosts still on EOL OpenSSL 1.0.2, use your next routine maintenance window to replace or upgrade them rather than leaving the branch in place indefinitely.

Sources

  1. Tenable Nessus Plugin 112119
  2. OpenSSL Security Advisory 2018-06-12 (CVE-2018-0732)
  3. OpenSSL Security Advisory 2018-04-16 (CVE-2018-0737)
  4. NVD CVE-2018-0732
  5. NVD CVE-2018-0737
  6. Ubuntu USN-3692-1 OpenSSL vulnerabilities
  7. Debian tracker CVE-2018-0732
  8. IACR ePrint: Cache-Timing Attacks on RSA Key Generation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.