CVE-2016-8610
📋 TL;DR
This OpenSSL vulnerability allows remote attackers to send specially crafted ALERT packets during TLS/SSL handshakes, causing excessive CPU consumption on affected servers. This leads to denial of service by preventing the server from accepting new connections. Systems running vulnerable OpenSSL versions in TLS/SSL server configurations are affected.
💻 Affected Systems
- OpenSSL
📦 What is this software?
Clustered Data Ontap Antivirus Connector by Netapp
View all CVEs affecting Clustered Data Ontap Antivirus Connector →
Communications Ip Service Activator by Oracle
View all CVEs affecting Communications Ip Service Activator →
Communications Ip Service Activator by Oracle
View all CVEs affecting Communications Ip Service Activator →
E Series Santricity Os Controller by Netapp
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Jboss Enterprise Application Platform by Redhat
View all CVEs affecting Jboss Enterprise Application Platform →
Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Retail Predictive Application Server by Oracle
View all CVEs affecting Retail Predictive Application Server →
Retail Predictive Application Server by Oracle
View all CVEs affecting Retail Predictive Application Server →
Snapdrive by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage where the TLS/SSL server becomes unresponsive and cannot accept any new connections, potentially affecting all services relying on that server.
Likely Case
Degraded server performance and intermittent connection failures during attack periods, leading to service disruption for legitimate users.
If Mitigated
Minimal impact with proper rate limiting, connection monitoring, and updated OpenSSL versions preventing exploitation.
🎯 Exploit Status
Exploitation requires network access to the TLS/SSL port and can be performed without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenSSL 1.0.2i, 1.1.0a, and later versions
Vendor Advisory: https://www.openssl.org/news/secadv/20161026.txt
Restart Required: Yes
Instructions:
1. Identify affected OpenSSL versions using 'openssl version'. 2. Update OpenSSL to patched versions via package manager (apt-get upgrade openssl, yum update openssl, etc.). 3. Restart all services using OpenSSL. 4. Verify update with 'openssl version'.
🔧 Temporary Workarounds
Rate Limiting
linuxImplement connection rate limiting at network or application level to mitigate DoS impact
iptables -A INPUT -p tcp --dport 443 -m limit --limit 50/minute --limit-burst 100 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Load Balancer Protection
allConfigure load balancers to detect and block excessive handshake attempts
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to TLS/SSL services
- Deploy Web Application Firewalls (WAF) or intrusion prevention systems with TLS/SSL anomaly detection
🔍 How to Verify
Check if Vulnerable:
Run 'openssl version' and check if output matches affected versions (0.9.8, 1.0.1, 1.0.2 through 1.0.2h, or 1.1.0)Check Version:
openssl versionVerify Fix Applied:
Run 'openssl version' and confirm version is 1.0.2i or higher, or 1.1.0a or higher📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage on TLS/SSL servers
- Multiple failed handshake attempts from single IPs
- Increased error logs for TLS/SSL handshake failures
Network Indicators:
- Spike in ALERT packets during handshakes
- Abnormal TLS/SSL traffic patterns
- Multiple connection attempts with incomplete handshakes
SIEM Query:
source="ssl_logs" AND (message="handshake failure" OR message="alert") | stats count by src_ip | where count > 100🔗 References
- http://rhn.redhat.com/errata/RHSA-2017-0286.html
- http://rhn.redhat.com/errata/RHSA-2017-0574.html
- http://rhn.redhat.com/errata/RHSA-2017-1415.html
- http://rhn.redhat.com/errata/RHSA-2017-1659.html
- http://seclists.org/oss-sec/2016/q4/224
- http://www.securityfocus.com/bid/93841
- http://www.securitytracker.com/id/1037084
- https://access.redhat.com/errata/RHSA-2017:1413
- https://access.redhat.com/errata/RHSA-2017:1414
- https://access.redhat.com/errata/RHSA-2017:1658
- https://access.redhat.com/errata/RHSA-2017:1801
- https://access.redhat.com/errata/RHSA-2017:1802
- https://access.redhat.com/errata/RHSA-2017:2493
- https://access.redhat.com/errata/RHSA-2017:2494
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=af58be768ebb690f78530f796e92b8ae5c9a4401
- https://security.360.cn/cve/CVE-2016-8610/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc
- https://security.netapp.com/advisory/ntap-20171130-0001/
- https://security.paloaltonetworks.com/CVE-2016-8610
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03897en_us
- https://www.debian.org/security/2017/dsa-3773
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://rhn.redhat.com/errata/RHSA-2017-0286.html
- http://rhn.redhat.com/errata/RHSA-2017-0574.html
- http://rhn.redhat.com/errata/RHSA-2017-1415.html
- http://rhn.redhat.com/errata/RHSA-2017-1659.html
- http://seclists.org/oss-sec/2016/q4/224
- http://www.securityfocus.com/bid/93841
- http://www.securitytracker.com/id/1037084
- https://access.redhat.com/errata/RHSA-2017:1413
- https://access.redhat.com/errata/RHSA-2017:1414
- https://access.redhat.com/errata/RHSA-2017:1658
- https://access.redhat.com/errata/RHSA-2017:1801
- https://access.redhat.com/errata/RHSA-2017:1802
- https://access.redhat.com/errata/RHSA-2017:2493
- https://access.redhat.com/errata/RHSA-2017:2494
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8610
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=af58be768ebb690f78530f796e92b8ae5c9a4401
- https://security.360.cn/cve/CVE-2016-8610/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:35.openssl.asc
- https://security.netapp.com/advisory/ntap-20171130-0001/
- https://security.paloaltonetworks.com/CVE-2016-8610
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03897en_us
- https://www.debian.org/security/2017/dsa-3773
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
