Raccoon attack

Summary

CVE	CVE-2020-1968
State	PUBLISHED
Assigner	openssl
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-09-09 14:15:12 UTC
Updated	2026-04-16 15:16:41 UTC
Description	The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).

Risk And Classification

Primary CVSS: v3.1 3.7 LOW from [email protected]

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem Types: CWE-203 | Protocol flaw | CWE-203 CWE-203 Observable Discrepancy

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	3.7	LOW	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N`
3.1	ADP	DECLARED	3.7	LOW	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	3.7	LOW	`CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N`
2.0	[email protected]	Primary	4.3		`AV:N/AC:M/Au:N/C:P/I:N/A:N`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2.0 Breakdown

Access Vector

Network

Access Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

AV:N/AC:M/Au:N/C:P/I:N/A:N

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Hardware	Fujitsu	M10-1	-	All	All	All
Operating System	Fujitsu	M10-1 Firmware	All	All	All	All
Hardware	Fujitsu	M10-4	-	All	All	All
Hardware	Fujitsu	M10-4s	-	All	All	All
Operating System	Fujitsu	M10-4s Firmware	All	All	All	All
Operating System	Fujitsu	M10-4 Firmware	All	All	All	All
Hardware	Fujitsu	M12-1	-	All	All	All
Operating System	Fujitsu	M12-1 Firmware	All	All	All	All
Hardware	Fujitsu	M12-2	-	All	All	All
Hardware	Fujitsu	M12-2s	-	All	All	All
Operating System	Fujitsu	M12-2s Firmware	All	All	All	All
Operating System	Fujitsu	M12-2 Firmware	All	All	All	All
Application	Openssl	Openssl	All	All	All	All
Hardware	Oracle	Ethernet Switch Es2-64	-	All	All	All
Operating System	Oracle	Ethernet Switch Es2-64 Firmware	2.0.0.14	All	All	All
Hardware	Oracle	Ethernet Switch Es2-72	-	All	All	All
Operating System	Oracle	Ethernet Switch Es2-72 Firmware	2.0.0.14	All	All	All
Application	Oracle	Jd Edwards World Security	a9.4	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.56	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.57	All	All	All
Application	Oracle	Peoplesoft Enterprise Peopletools	8.58	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	OpenSSL	OpenSSL	affected Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v)	Not specified

References

Reference	Source	Link	Tags
Oracle Critical Patch Update Advisory - April 2022	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com	Patch, Third Party Advisory
Oracle Critical Patch Update Advisory - October 2021	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com	Patch, Third Party Advisory
[SECURITY] [DLA 2378-1] openssl1.0 security update	af854a3a-2127-422b-91ae-364da2661108	lists.debian.org	Mailing List, Third Party Advisory
USN-4504-1: OpenSSL vulnerabilities \| Ubuntu security notices \| Ubuntu	af854a3a-2127-422b-91ae-364da2661108	usn.ubuntu.com	Third Party Advisory
Oracle Critical Patch Update Advisory - July 2021	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com	Patch, Third Party Advisory
Oracle Critical Patch Update Advisory - January 2021	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com	Third Party Advisory
OpenSSL: Multiple Vulnerabilities (GLSA 202210-02) — Gentoo security	af854a3a-2127-422b-91ae-364da2661108	security.gentoo.org	Third Party Advisory
Oracle Critical Patch Update Advisory - April 2021	af854a3a-2127-422b-91ae-364da2661108	www.oracle.com	Patch, Third Party Advisory
CVE-2020-1968 OpenSSL Vulnerability in NetApp Products \| NetApp Product Security	af854a3a-2127-422b-91ae-364da2661108	security.netapp.com	Third Party Advisory
www.openssl.org/news/secadv/20200909.txt	af854a3a-2127-422b-91ae-364da2661108	www.openssl.org	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky (en)

Legacy QID Mappings

330079 IBM AIX Multiple Vulnerabilities in Openssl (openssl_advisory32)
374875 Oracle PeopleSoft Enterprise PeopleTools Multiple vulnerabilitites (CPUJAN2021)
591018 Hitachi Energy RTU500 series Multiple Vulnerabilities (ICSA-21-336-08)
710638 Gentoo Linux Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (GLSA 202210-02)
730319 Palo Alto Networks (PAN-OS) Impact of the Raccoon Attack Vulnerability (PAN-154936)
91781 IBM Integration Bus and IBM App Connect Enterprise Open Secure Sockets Layer (OpenSSL) Multiple Vulnerabilities (6444817,6444819)