CVE-2020-1596: TLS Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 5.4)

CVSS Vector

CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Sep

Released

2020-09-08

Last Updated

2020-12-08

EPSS Score

0.18% (percentile: 39.1%)

Description

A information disclosure vulnerability exists when TLS components use weak hash algorithms. An attacker who successfully exploited this vulnerability could obtain information to further compromise a users's encrypted transmission channel. To exploit the vulnerability, an attacker would have to conduct a man-in-the-middle attack. The update addresses the vulnerability by correcting how TLS components use hash algorithms.

FAQ

What type of information disclosure does the CVE address? This CVE addresses protocol limitations associated with TLS_DHE ephemeral key reusage which can lead to key disclosure. Are there any advice regarding using TLS_DHE keys? The industry has mostly stopped using TLS_DHE. Microsoft advises customers to disable TLS_DHE .

Affected Products (44)

Other

• 11497
• 11498
• 11563
• 11568
• 11569
• 11570
• 11571
• 11572
• 11712
• 11713
• 11714
• 11715
• 11453
• 11454
• 11583
• 11644
• 11645
• 11646
• 11647
• 11766
• 11767
• 11768
• 11769
• 10729
• 10735
• 10852
• 10853
• 10816
• 10855
• 10047
• 10048
• 10481
• 10482
• 10484
• 9312
• 10287
• 9318
• 9344
• 10051
• 10049
• 10378
• 10379
• 10483
• 10543

Security Updates (15)

• 4577032
• 4570333
• 4574727
• 4577041
• 4571756
• 4577049
• 4577015
• 4577051
• 4577053
• 4577066
• 4577071
• 4592498
• 4592504
• 4577038
• 4577048

Acknowledgments

Robert Merget (Ruhr University Bochum), Marcus Brinkmann (Ruhr University Bochum), Nimrod Aviram (Tel Aviv University), Juraj Somorovsky (Paderborn University)

Revision History

• 2020-09-08: Information published.
• 2020-12-08: To address a known issue customers running Windows Server 2008 experienced after installing the September 2020 security updates, Microsoft has released the December 2020 Monthly Rollup and Security Only updates for all affected versions of Windows Server 2008. Microsoft strongly recommends that customers enrolled in the Extended Security Update (ESU) program install the updates to correct this known issue.