tenable:122504 · OpenSSL 1.0.2 < 1.0.2r Vulnerability

01 · The Real Story

This is a lock that only fails if the thief is already standing in your hallway with the right shim

tenable:122504 maps to CVE-2019-1559, OpenSSL’s 0-byte record padding oracle fixed in OpenSSL 1.0.2r. Upstream affected versions are 1.0.2 through 1.0.2q; OpenSSL 1.1.0 and 1.1.1 are not affected. The bug only becomes useful when a TLS endpoint using legacy TLS 1.2 CBC cipher suites hits a fatal protocol error, the application then calls SSL_shutdown() twice, and the platform ends up using a non-stitched CBC implementation.

The vendor MEDIUM label is technically defensible, but operationally it is too hot for most enterprise patch queues. This is not a one-packet internet RCE; it is a confidentiality bug that usually needs an active man-in-the-middle position, legacy cipher negotiation, and a very specific application misuse pattern. That stack of prerequisites sharply narrows the reachable population, so for most 10,000-host environments this belongs in backlog hygiene / crypto-hardening, not emergency response.

"Real bug, narrow kill-chain: on-path attacker plus fragile app behavior plus legacy CBC makes this backlog-grade, not fire-drill."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a CBC-capable target with padcheck or TLS-Scanner

The attacker first identifies TLS services that still negotiate vulnerable CBC suites under TLS 1.2 and exhibit behavior associated with CBC padding oracles. Public tooling exists via Tripwire's padcheck and the Ruhr University Bochum TLS-Scanner / TLS-Padding-Oracles project, which is enough to separate likely candidates from the general internet noise.

Conditions required:

Internet-facing or reachable TLS service
TLS 1.2 CBC cipher suites enabled
Service actually linked against vulnerable OpenSSL 1.0.2 code path

Where this breaks in practice:

Banner scans often cannot prove the exact OpenSSL patchlevel
Many modern stacks prefer AEAD ciphers and never negotiate CBC in practice
A lot of scanner hits are false positives caused by generic CBC support rather than this exact OpenSSL bug

Detection/coverage: Good at the posture level, mediocre at exact-CVE attribution. Nessus/version checks catch package age; padcheck/TLS-Scanner validate oracle behavior more directly.

STEP 02

Get on-path to a victim session

This bug does not hand plaintext to a random remote scanner. The attacker generally needs to observe and tamper with a live client↔server TLS session so they can submit malformed records and learn from the server's distinguishable responses. In practice that means a man-in-the-middle foothold on the same network path, a malicious proxy, hostile Wi-Fi, or equivalent traffic control.

Conditions required:

Active network-adversary position between client and server
Ability to induce or observe repeated victim connections

Where this breaks in practice:

This is a huge downward pressure: it assumes a prior foothold or traffic interception position
Modern enterprise egress controls, VPNs, HSTS, and network segmentation reduce realistic attacker opportunities
If the attacker already owns the path, you already have a bigger incident than this CVE

Detection/coverage: Traditional vuln scanners do not test the on-path prerequisite. Network telemetry may reveal TLS downgrade/cipher anomalies, but most orgs will not have deterministic detection here.

STEP 03

Trigger the OpenSSL-specific oracle

The attacker sends crafted malformed TLS records and relies on the target application to hit the vulnerable sequence: fatal protocol error, followed by two SSL_shutdown() calls. If the endpoint uses a non-stitched CBC ciphersuite, OpenSSL can expose a padding oracle by reacting differently to bad padding versus bad MAC cases.

Conditions required:

Application calls SSL_shutdown() twice after a fatal error
Negotiated ciphersuite is vulnerable CBC and non-stitched on that platform
The service's responses remain externally distinguishable

Where this breaks in practice:

OpenSSL itself says applications *should not* do this; many do not
Stitched implementations on common platforms block exploitability for many deployments
Small implementation differences can collapse the signal and kill the oracle

Detection/coverage: Behavioral testing with TLS-Scanner is the right check. Pure version checks overstate exposure because they cannot prove the double-shutdown misuse or stitched/non-stitched runtime path.

STEP 04

Decrypt session material or recover sensitive plaintext

With enough adaptive queries, the attacker can decrypt data protected by the affected TLS session, such as cookies or application traffic, and potentially hijack authenticated web sessions. This is a confidentiality problem, not a clean server takeover primitive.

Conditions required:

Repeated oracle queries possible without connection suppression
Useful victim traffic traverses the observed session

Where this breaks in practice:

Query volume and session reliability make this noisy and brittle compared with modern exploit chains
Impact is limited to intercepted sessions, not fleet-wide code execution
TLS 1.3 / AEAD-first deployments sidestep the whole class

Detection/coverage: Hard to detect generically; watch for unusual malformed TLS record patterns, repeated handshake failures, or scanner-style probe sequences from the same source.

03 · Intelligence Metadata

The supporting signals.

Mapped CVE	CVE-2019-1559 — OpenSSL 0-byte record padding oracle
In-the-wild status	No authoritative CISA KEV listing was found in the catalog pages reviewed, and I did not find solid vendor-grade evidence of broad active exploitation campaigns for this exact CVE.
Public PoC / tooling	Public research and scanner tooling exist: Tripwire `padcheck` and the RUB `TLS-Padding-Oracles` / `TLS-Scanner` work. That makes validation easy, but exploitation still needs an on-path position.
EPSS	Third-party mirrors of FIRST EPSS show roughly 5–6% probability and about the 91st percentile for the next 30 days. That's not zero, but it is still a weak signal compared with truly weaponized edge bugs.
KEV status	Not listed in the CISA KEV catalog pages reviewed.
CVSS vector	CVSS 3.1 `AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N` = 5.9 MEDIUM. The key word is `AC:H`: exploitability depends on several brittle prerequisites, not just network reachability.
Affected versions	Upstream OpenSSL 1.0.2 through 1.0.2q. OpenSSL states 1.1.0 and 1.1.1 are not impacted by this issue.
Fixed versions / backports	Upstream fixed in 1.0.2r. Backported distro fixes include Ubuntu 16.04 `1.0.2g-1ubuntu4.15`, Ubuntu 18.04 `1.0.2n-1ubuntu5.3`, Ubuntu 18.10 `1.0.2n-1ubuntu6.2`, Debian 9 `1.0.2r-1~deb9u1`, and RHEL 7 `openssl-1.0.2k-19.el7`.
Scanning / exposure reality	Internet-wide tools like Shodan/Censys can find TLS services, but version-accurate attribution for this CVE is poor because banners often expose protocol/cipher posture, not the exact OpenSSL runtime path or whether the app performs the vulnerable double shutdown.
Disclosure / researchers	OpenSSL published the advisory on 2019-02-26. The issue was discovered by Juraj Somorovsky, Robert Merget, and Nimrod Aviram, with additional investigation by Steven Collison and Andrew Hourselt.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.7/10)

The decisive factor is attacker position: this usually requires an active man-in-the-middle foothold plus a live victim session, which makes it post-compromise or hostile-network dependent rather than broadly internet-exploitable. The rest of the chain is also fragile — legacy CBC, non-stitched ciphers, and application misuse of SSL_shutdown() — so the exposed population is much smaller than a raw OpenSSL version string suggests.

HIGH Exploit preconditions are materially narrower than the vendor label implies

MEDIUM Exact host-level exposure because runtime stitched/non-stitched behavior and application shutdown logic are hard to prove remotely

Why this verdict

Downgrade for attacker position: a practical exploit normally assumes the attacker is already on path to the victim's TLS session, which is a major real-world gate.
Downgrade for implementation friction: exploitability needs legacy TLS 1.2 CBC plus a non-stitched ciphersuite path plus an application that calls SSL_shutdown() twice after a fatal error.
Downgrade for blast radius: successful exploitation decrypts or hijacks observed sessions; it does not hand you unauthenticated server-side code execution across the fleet.

Why not higher?

This is not an unauthenticated edge takeover, and it is not a low-complexity internet spray target. Even where OpenSSL 1.0.2 is present, many deployments negotiate AEAD suites first, use stitched CBC implementations, or never hit the vulnerable application behavior.

Why not lower?

It is still a real confidentiality flaw in a foundational crypto library, public research and scanner tooling exist, and some legacy internet-facing estates still enable CBC. If you run exposed 1.0.2-era TLS endpoints for browsers or APIs, you should not ignore it completely.

05 · Compensating Control

What to do — in priority order.

Disable CBC cipher suites where business-safe — Remove legacy TLS 1.2 CBC suites from internet-facing listeners and load balancers first; that cuts off the vulnerable exploit path even before you touch packages. For a LOW verdict there is no formal SLA, so do this during normal crypto-hardening/backlog work rather than as an emergency outage.
Prefer AEAD-only TLS policies — Force modern suites such as AES-GCM or ChaCha20-Poly1305 so vulnerable CBC handling never gets negotiated. Fold this into your standard TLS baseline refresh; again, LOW means backlog hygiene, not a war room.
Verify distro backports before declaring exposure — A lot of hosts still show 1.0.2* in package names even when the fix is backported by the distro. Validate package release numbers against vendor advisories before burning patch capacity on false positives.
Retire OpenSSL 1.0.2 estates — The bigger risk story is that 1.0.2 reached end of support on 2019-12-31. Use this finding as fuel to remove legacy TLS stacks during your platform refresh cycle, because future crypto issues will keep landing on the same old estate.

What doesn't work

WAF rules do not reliably stop malformed low-level TLS record abuse because the traffic issue happens below the HTTP layer.
MFA does not fix the oracle; if session material is decrypted or hijacked, MFA has already been bypassed at the session layer.
Version-string-only scanning is not enough to prove exploitability here; it misses distro backports and cannot validate the double-SSL_shutdown() application behavior.

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host that actually provides or links against OpenSSL, not from your scanner node. Invoke it as bash check-cve-2019-1559.sh or sudo bash check-cve-2019-1559.sh; root is helpful for package queries but usually not required. The script checks common distro backports first, then falls back to upstream version logic and prints VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2019-1559.sh
# Purpose: Assess likely exposure to CVE-2019-1559 (OpenSSL 0-byte record padding oracle)
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

say() { echo "$1"; }
ver_ge() {
  # crude but workable lexicographic version compare for these package/version families
  # returns 0 if $1 >= $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | tail -n1)" = "$1" ]
}

OS_ID=""
OS_VER=""
if [ -r /etc/os-release ]; then
  . /etc/os-release
  OS_ID="${ID:-}"
  OS_VER="${VERSION_ID:-}"
fi

OPENSSL_BIN_VER=""
if command -v openssl >/dev/null 2>&1; then
  OPENSSL_BIN_VER="$(openssl version 2>/dev/null | awk '{print $2}')"
fi

# 1) Debian/Ubuntu package checks with known fixed backports
if command -v dpkg-query >/dev/null 2>&1; then
  PKG=""
  PKGVER=""

  for p in libssl1.0.0 openssl1.0 openssl; do
    if dpkg-query -W -f='${Status} ${Version}\n' "$p" 2>/dev/null | grep -q 'install ok installed'; then
      PKG="$p"
      PKGVER="$(dpkg-query -W -f='${Version}' "$p" 2>/dev/null)"
      break
    fi
  done

  if [ -n "$PKG" ] && [ -n "$PKGVER" ]; then
    case "$OS_ID:$OS_VER" in
      ubuntu:16.04)
        if ver_ge "$PKGVER" "1.0.2g-1ubuntu4.15"; then say "PATCHED"; exit 0; else say "VULNERABLE"; exit 1; fi ;;
      ubuntu:18.04)
        if ver_ge "$PKGVER" "1.0.2n-1ubuntu5.3"; then say "PATCHED"; exit 0; else say "VULNERABLE"; exit 1; fi ;;
      ubuntu:18.10)
        if ver_ge "$PKGVER" "1.0.2n-1ubuntu6.2"; then say "PATCHED"; exit 0; else say "VULNERABLE"; exit 1; fi ;;
      debian:9)
        if ver_ge "$PKGVER" "1.0.2r-1~deb9u1"; then say "PATCHED"; exit 0; else say "VULNERABLE"; exit 1; fi ;;
    esac

    # Unknown Debian-family release with a 1.0.2 package: avoid lying about backports
    if echo "$PKGVER" | grep -q '1\.0\.2'; then
      say "UNKNOWN"
      exit 2
    fi
  fi
fi

# 2) RPM family check for RHEL/CentOS/Oracle Linux 7 backport
if command -v rpm >/dev/null 2>&1; then
  if rpm -q openssl >/dev/null 2>&1; then
    RPMVER="$(rpm -q --qf '%{VERSION}-%{RELEASE}\n' openssl 2>/dev/null)"
    case "$OS_ID:$OS_VER" in
      rhel:7*|centos:7*|ol:7*|rocky:7*|almalinux:7*)
        if ver_ge "$RPMVER" "1.0.2k-19.el7"; then say "PATCHED"; exit 0; else say "VULNERABLE"; exit 1; fi ;;
    esac

    # If changelog explicitly mentions the CVE, trust the vendor backport.
    if rpm -q --changelog openssl 2>/dev/null | grep -q 'CVE-2019-1559'; then
      say "PATCHED"
      exit 0
    fi

    if echo "$RPMVER" | grep -q '^1\.0\.2'; then
      say "UNKNOWN"
      exit 2
    fi
  fi
fi

# 3) Upstream/OpenSSL binary fallback
if [ -n "$OPENSSL_BIN_VER" ]; then
  case "$OPENSSL_BIN_VER" in
    1.0.2|1.0.2[a-q])
      say "VULNERABLE"
      exit 1
      ;;
    1.0.2r|1.0.2s|1.0.2t|1.0.2u)
      say "PATCHED"
      exit 0
      ;;
    1.1.0*|1.1.1*|3.*)
      say "PATCHED"
      exit 0
      ;;
  esac
fi

say "UNKNOWN"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: do not treat tenable:122504 as a stop-the-line event unless you have a very specific legacy TLS edge that still negotiates CBC and handles hostile client traffic. For a LOW verdict, there is no noisgate mitigation SLA and no noisgate remediation SLA — treat it as backlog hygiene: validate distro backports first, disable CBC suites during the next normal TLS-hardening change window, and fold any remaining OpenSSL 1.0.2 systems into your legacy-platform retirement plan rather than burning emergency patch hours on this CVE alone.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.