CVE-2013-0169
published 2013-02-08CVE-2013-0169: The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing…
PriorityP426low2.6CVSS 2.0
AVNACHAuNCPINAN
EPSS
35.58%
98.3th percentile
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Affected
354 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| arm | mbed_tls | < 2.1.14 | 2.1.14 |
| arm | mbed_tls | >= 2.2.0 < 2.7.5 | 2.7.5 |
| arm | mbed_tls | >= 2.8.0 < 2.12.0 | 2.12.0 |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
| bouncycastle | bc-java | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
ghsa2.6LOW
osv2.6LOW
vendor_ubuntu5.0MEDIUM
vendor_debian2.6LOW
vendor_redhat2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2vj6-mvxm-4f5f: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher
ghsa_unreviewed·2022-05-17·CVSS 2.6
CVE-2013-2116 [LOW] CWE-20 GHSA-2vj6-mvxm-4f5f: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher
The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.
GHSA
GHSA-cjrv-3xx9-58f9: The TLS implementation in Opera before 12
ghsa_unreviewed·2022-05-17·CVSS 2.6
CVE-2013-1618 [LOW] GHSA-cjrv-3xx9-58f9: The TLS implementation in Opera before 12
The TLS implementation in Opera before 12.13 does not properly consider timing side-channel attacks on a MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
GHSA
GHSA-pvmj-2j9v-f5w6: Array index error in the SSL module in PolarSSL before 1
ghsa_unreviewed·2022-05-17·CVSS 2.6
CVE-2013-1621 [LOW] CWE-20 GHSA-pvmj-2j9v-f5w6: Array index error in the SSL module in PolarSSL before 1
Array index error in the SSL module in PolarSSL before 1.2.5 might allow remote attackers to cause a denial of service via vectors involving a crafted padding-length value during validation of CBC padding in a TLS session, a different vulnerability than CVE-2013-0169.
GHSA
GHSA-5g8p-qpcj-85w5: The TLS and DTLS implementations in wolfSSL CyaSSL before 2
ghsa_unreviewed·2022-05-17·CVSS 2.6
CVE-2013-1623 [LOW] GHSA-5g8p-qpcj-85w5: The TLS and DTLS implementations in wolfSSL CyaSSL before 2
The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
GHSA
GHSA-qmwj-552p-59h4: The TLS implementation in GnuTLS before 2
ghsa_unreviewed·2022-05-17·CVSS 2.6
CVE-2013-1619 [LOW] GHSA-qmwj-552p-59h4: The TLS implementation in GnuTLS before 2
The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
GHSA
GHSA-4pp6-m86c-j4gj: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check o
ghsa_unreviewed·2022-05-14·CVSS 2.6
CVE-2013-1620 [LOW] CWE-203 GHSA-4pp6-m86c-j4gj: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check o
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
GHSA
GHSA-3gm7-8cfv-p8h9: The AES-NI implementation in OpenSSL before 1
ghsa_unreviewed·2022-05-14·CVSS 2.6
CVE-2016-2107 [LOW] CWE-200 GHSA-3gm7-8cfv-p8h9: The AES-NI implementation in OpenSSL before 1
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
GHSA
Improper Input Validation in Bouncy Castle
ghsa·2022-05-14·CVSS 2.6
CVE-2013-1624 [LOW] CWE-20 Improper Input Validation in Bouncy Castle
Improper Input Validation in Bouncy Castle
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
OSV
Improper Input Validation in Bouncy Castle
osv·2022-05-14·CVSS 2.6
CVE-2013-1624 [LOW] Improper Input Validation in Bouncy Castle
Improper Input Validation in Bouncy Castle
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
GHSA
GHSA-pxhv-jv3r-8j7f: ARM mbed TLS before 2
ghsa_unreviewed·2022-05-13·CVSS 2.6
CVE-2018-0497 [LOW] GHSA-pxhv-jv3r-8j7f: ARM mbed TLS before 2
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attackers to achieve partial plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. This vulnerability exists because of an incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.
GHSA
GHSA-pg96-42c4-p633: The TLS protocol 1
ghsa_unreviewed·2022-05-05
CVE-2013-0169 [LOW] GHSA-pg96-42c4-p633: The TLS protocol 1
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
OSV
CVE-2018-0497: ARM mbed TLS before 2
osv·2018-07-28·CVSS 2.6
CVE-2018-0497 [LOW] CVE-2018-0497: ARM mbed TLS before 2
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attackers to achieve partial plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. This vulnerability exists because of an incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.
OSV
CVE-2016-2107: The AES-NI implementation in OpenSSL before 1
osv·2016-05-05·CVSS 2.6
CVE-2016-2107 [LOW] CVE-2016-2107: The AES-NI implementation in OpenSSL before 1
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
OSV
CVE-2013-0169: The TLS protocol 1
osv·2013-02-08·CVSS 2.6
CVE-2013-0169 [LOW] CVE-2013-0169: The TLS protocol 1
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
OSV
CVE-2013-1620: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check o
osv·2013-02-08·CVSS 2.6
CVE-2013-1620 [LOW] CVE-2013-1620: The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check o
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
OSV
CVE-2013-1619: The TLS implementation in GnuTLS before 2
osv·2013-02-08·CVSS 2.6
CVE-2013-1619 [LOW] CVE-2013-1619: The TLS implementation in GnuTLS before 2
The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
OSV
CVE-2013-1624: The TLS implementation in the Bouncy Castle Java library before 1
osv·2013-02-08·CVSS 2.6
CVE-2013-1624 [LOW] CVE-2013-1624: The TLS implementation in the Bouncy Castle Java library before 1
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
OSV
CVE-2013-1621: Array index error in the SSL module in PolarSSL before 1
osv·2013-02-08·CVSS 2.6
CVE-2013-1621 [LOW] CVE-2013-1621: Array index error in the SSL module in PolarSSL before 1
Array index error in the SSL module in PolarSSL before 1.2.5 might allow remote attackers to cause a denial of service via vectors involving a crafted padding-length value during validation of CBC padding in a TLS session, a different vulnerability than CVE-2013-0169.
CISA ICS
ABB M2M Gateway
cisa_ics·2025-04-15
ABB M2M Gateway
ICS Advisory
##
ABB M2M Gateway
Release DateApril 15, 2025
Alert CodeICSA-25-105-08
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 8.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ABB
- Equipment: M2M Gateway
- Vulnerabilities: Integer Overflow or Wraparound, Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), Unquoted Search Path or Element, Untrusted Search Path, Use After Free, Out-of-bounds Write, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Missing Release of Memory after Effective Lifetime, Allocation of Resources Without Limits or Throttling, Improper Privilege Management, Improper Limitati
CISA ICS
Siemens SCALANCE X-200RNA Switch Devices
cisa_ics·2022-12-19
Siemens SCALANCE X-200RNA Switch Devices
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SCALANCE X-200RNA Switch Devices
Last RevisedDecember 19, 2022
Alert CodeICSA-22-349-21
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Siemens
- Equipment: SCALANCE X-200RNA switch devices before V3.2.7
- Vulnerabilities: Observable Timing Discrepancy; Race Condition; Improper Restriction of Operations within the Bounds of a Memory Buffer; Improper Input Validation; NULL Pointer Dereference; Use After Free; Cryptographic Issues; Comparison of Incompatible Types; Resource Management
CISA ICS
Pepperl+Fuchs WirelessHART-Gateway
cisa_ics·2022-04-07·CVSS 7.5
[HIGH] Pepperl+Fuchs WirelessHART-Gateway
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Pepperl+Fuchs WirelessHART-Gateway
Last RevisedApril 07, 2022
Alert CodeICSA-22-097-01
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Pepperl+Fuchs
- Equipment: WirelessHART-Gateway
- Vulnerabilities: Use of Hard-coded Credentials, Uncontrolled Resource Consumption, Reliance on Reverse DNS Resolution for a Security-critical Action, Path Traversal, Cross-site Scripting, Exposure of Sensitive Information to an Unauthorized Actor, Cleartext Storage of Sensitive Information in a Cookie, HTTP Request Smuggling, Sensitive Co
CISA ICS
Siemens SIMATIC RF6XXR
cisa_ics·2019-07-11·CVSS 4.3
[MEDIUM] Siemens SIMATIC RF6XXR
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SIMATIC RF6XXR
Last RevisedJuly 11, 2019
Alert CodeICSA-19-192-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 5.9
- ATTENTION: Exploitable remotely/public exploits are available
- Vendor: Siemens
- Equipment: SIMATIC RF6XXR
- Vulnerabilities: Improper Input Validation, Cryptographic Issues
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow access to sensitive information.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Siemens reports that the vulnerabilities affect all versions prior to 3.2.1 of the following SIMATIC RF6XXR UHF RFID produ
Debian
CVE-2018-0497: mbedtls - ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attack...
vendor_debian·2018·CVSS 2.6
CVE-2018-0497 [LOW] CVE-2018-0497: mbedtls - ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attack...
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote attackers to achieve partial plaintext recovery (for a CBC based ciphersuite) via a timing-based side-channel attack. This vulnerability exists because of an incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.
Scope: local
bookworm: resolved (fixed in 2.12.0-1)
bullseye: resolved (fixed in 2.12.0-1)
forky: resolved (fixed in 2.12.0-1)
sid: resolved (fixed in 2.12.0-1)
trixie: resolved (fixed in 2.12.0-1)
Palo Alto
PAN-SA-2016-0023 OpenSSL Vulnerabilities
vendor_paloalto·2016-09-02·CVSS 2.6
CVE-2013-0169 [LOW] CWE-119 PAN-SA-2016-0023 OpenSSL Vulnerabilities
PAN-SA-2016-0023 OpenSSL Vulnerabilities
The OpenSSL library embedded in the GlobalProtect™ agent, TerminalServer™ agent and UserID™ agent is
CVEs: CVE-2013-0169, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176
Affected products: GlobalProtect
Palo Alto
PAN-SA-2016-0020 OpenSSL Vulnerabilities
vendor_paloalto·2016-08-15·CVSS 7.5
CVE-2014-8176 [HIGH] CWE-119 PAN-SA-2016-0020 OpenSSL Vulnerabilities
PAN-SA-2016-0020 OpenSSL Vulnerabilities
The OpenSSL library has been found to contain several vulnerabilities CVE-2014-8176, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-1794, CVE-2015-3195, CVE-2015-4000, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, CVE-2016-2842. Palo Alto Networks software makes use of the vulnerable library. (Ref # 95622). The OpenSSL library in use by PAN-OS is patched on a regular basis. Severities of the CVEs listed under the summary section range from low to high but, have not been shown to be exploitable at the time of this advisory. This issue affects PAN-OS 5.0.X; PAN-OS-5.1.X; PAN-OS 6.0.13 and earlier; PAN-OS 6.1.12 and earlier; PAN-OS 7.0.8 and earlier; PAN-OS 7.1.3 and earl
Red Hat
openssl: Padding oracle in AES-NI CBC MAC check
vendor_redhat·2016-05-03·CVSS 2.6
CVE-2016-2107 [LOW] openssl: Padding oracle in AES-NI CBC MAC check
openssl: Padding oracle in AES-NI CBC MAC check
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when the connection used the AES CBC cipher suite and the server supported AES-NI. A remote attacker could possibly use this flaw to retrieve plain text from encrypted packets by using a TLS/SSL or DTLS server as a padding oracle.
Package: openssl (Red Hat Enterprise Linux 4) - Not
Debian
CVE-2016-2107: openssl - The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does ...
vendor_debian·2016·CVSS 2.6
CVE-2016-2107 [LOW] CVE-2016-2107: openssl - The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does ...
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
Scope: local
bookworm: resolved (fixed in 1.0.2h-1)
bullseye: resolved (fixed in 1.0.2h-1)
forky: resolved (fixed in 1.0.2h-1)
sid: resolved (fixed in 1.0.2h-1)
trixie: resolved (fixed in 1.0.2h-1)
VMware
VMware vCenter Chargeback Manager Remote Code Execution
vendor_vmware·2013-06-11·CVSS 5.0
CVE-2013-0166 [MEDIUM] VMware vCenter Chargeback Manager Remote Code Execution
VMSA-2013-0008: VMware vCenter Chargeback Manager Remote Code Execution
a. vCenter Chargeback Manager Remote Code Execution The vCenter Chargeback Manager (CBM) contains a flaw in its handling of file uploads. Exploitation of this issue may allow an unauthenticated attacker to execute code remotely. VMware would like to thank Andrea Micalizzi, aka rgod, for reporting this issue to us through HP's Zero Day Initiative (ZDI). The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3520 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Product Version Running on Replace with / Apply Patch VMware Product CBM Product Version 2.01 Running on an
Red Hat
gnutls: out of bounds read in _gnutls_ciphertext2compressed (GNUTLS-SA-2013-2)
vendor_redhat·2013-05-29·CVSS 2.6
CVE-2013-2116 [LOW] CWE-125 gnutls: out of bounds read in _gnutls_ciphertext2compressed (GNUTLS-SA-2013-2)
gnutls: out of bounds read in _gnutls_ciphertext2compressed (GNUTLS-SA-2013-2)
The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.
Package: mingw32-gnutls (Red Hat Enterprise Linux 6) - Not affected
BSD
FreeBSD-SA-13:03.openssl: OpenSSL multiple vulnerabilities
bsd_advisories·2013-04-02·CVSS 5.0
CVE-2013-0166 [MEDIUM] FreeBSD-SA-13:03.openssl: OpenSSL multiple vulnerabilities
FreeBSD-SA-13:03.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Category: contrib
Module: openssl
Announced: 2013-04-02
Affects: All supported versions of FreeBSD.
Corrected: 2013-03-08 17:28:40 UTC (stable/8, 8.3-STABLE)
2013-04-02 17:34:42 UTC (releng/8.3, 8.3-RELEASE-p7)
2013-03-14 17:48:07 UTC (stable/9, 9.1-STABLE)
2013-04-02 17:34:42 UTC (releng/9.0, 9.0-RELEASE-p7)
2013-04-02 17:34:42 UTC (releng/9.1, 9.1-RELEASE-p2)
CVE Name: CVE-2013-0166, CVE-2013-0169
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to devel
Ubuntu
OpenSSL vulnerability
vendor_ubuntu·2013-03-25·CVSS 5.0
CVE-2013-0169 [MEDIUM] OpenSSL vulnerability
Title: OpenSSL vulnerability
Summary: Several security issues were fixed in OpenSSL.
USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169 and
CVE-2012-2686 was reverted in USN-1732-2 because of a regression. This
update restores the security fix, and includes an extra fix from upstream
to address the AES-NI regression. We apologize for the inconvenience.
Original advisory details:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL w
Ubuntu
OpenSSL regression
vendor_ubuntu·2013-02-28·CVSS 5.0
CVE-2013-0169 [MEDIUM] OpenSSL regression
Title: OpenSSL regression
Summary: USN-1732-1 introduced a regression in OpenSSL.
USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169 and
CVE-2012-2686 introduced a regression causing decryption failures on
hardware supporting AES-NI. This update temporarily reverts the security
fix pending further investigation. We apologize for the inconvenience.
Original advisory details:
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vu
Ubuntu
OpenJDK vulnerabilities
vendor_ubuntu·2013-02-21·CVSS 2.6
CVE-2013-0169 [LOW] OpenJDK vulnerabilities
Title: OpenJDK vulnerabilities
Summary: Several security issues were fixed in OpenJDK.
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenJDK was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote attacker could use this issue to perform
plaintext-recovery attacks via analysis of timing data. (CVE-2013-0169)
A vulnerability was discovered in the OpenJDK JRE related to information
disclosure and data integrity. An attacker could exploit this to cause a
denial of service. This issue only affected Ubuntu 12.10. (CVE-2013-1484)
A data integrity vulnerability was discovered in the OpenJDK JRE. This
issue only affected Ubuntu 12.10. (CVE-2013-1485)
Two vulnerabilities were discovered in the OpenJDK JRE related to
informat
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2013-02-21·CVSS 5.0
CVE-2012-2686 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly
handled certain crafted CBC data when used with AES-NI. A remote attacker
could use this issue to cause OpenSSL to crash, resulting in a denial of
service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10.
(CVE-2012-2686)
Stephen Henson discovered that OpenSSL incorrectly performed signature
verification for OCSP responses. A remote attacker could use this issue to
cause OpenSSL to crash, resulting in a denial of service. (CVE-2013-0166)
Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used
in OpenSSL was vulnerable to a timing side-channel attack known as the
"Lucky Thirteen" issue. A remote atta
Red Hat
nss: TLS CBC padding timing attack
vendor_redhat·2013-02-04·CVSS 2.6
CVE-2013-1620 [LOW] nss: TLS CBC padding timing attack
nss: TLS CBC padding timing attack
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Red Hat
gnutls: TLS CBC padding timing attack (lucky-13)
vendor_redhat·2013-02-04·CVSS 2.6
CVE-2013-1619 [LOW] gnutls: TLS CBC padding timing attack (lucky-13)
gnutls: TLS CBC padding timing attack (lucky-13)
The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Package: mingw32-gnutls (Red Hat Enterprise Linux 6) - Will not fix
Red Hat
SSL/TLS: CBC padding timing attack (lucky-13)
vendor_redhat·2013-02-04·CVSS 2.6
CVE-2013-0169 [LOW] SSL/TLS: CBC padding timing attack (lucky-13)
SSL/TLS: CBC padding timing attack (lucky-13)
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Mitigation: On OpenShift Container Platform 3.11 it's possible to edit the list of cipher suites offered by the router when performing 'edge', or 're-encrypt' TLS modes. Please follow the documentation [1], and [2] to remove the vulnerable CBC ciphers use the modern, or intermediate cipher suites outlined by Moz
Red Hat
yaSSL: TLS CBC padding timing attack
vendor_redhat·2013-02-04·CVSS 2.6
CVE-2013-1623 [LOW] yaSSL: TLS CBC padding timing attack
yaSSL: TLS CBC padding timing attack
The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Statement: Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 5 or 6. The packages use OpenSSL and not yaSSL.
Package: mysql (Red Hat Enterprise Linux 5) - Not affected
Package: mysql (Red Hat Enterprise Linux 6) - Not affected
Red Hat
bouncycastle: TLS CBC padding timing attack
vendor_redhat·2013-02-04·CVSS 2.6
CVE-2013-1624 [LOW] CWE-385 bouncycastle: TLS CBC padding timing attack
bouncycastle: TLS CBC padding timing attack
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.
Package: bouncycastle (OpenShif
Debian
CVE-2013-0169: bouncycastle - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenS...
vendor_debian·2013·CVSS 2.6
CVE-2013-0169 [LOW] CVE-2013-0169: bouncycastle - The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenS...
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Scope: local
bookworm: resolved (fixed in 1.48+dfsg-2)
bullseye: resolved (fixed in 1.48+dfsg-2)
forky: resolved (fixed in 1.48+dfsg-2)
sid: resolved (fixed in 1.48+dfsg-2)
trixie: resolved (fixed in 1.48+dfsg-2)
Debian
CVE-2013-1624: bouncycastle - The TLS implementation in the Bouncy Castle Java library before 1.48 and C# libr...
vendor_debian·2013·CVSS 2.6
CVE-2013-1624 [LOW] CVE-2013-1624: bouncycastle - The TLS implementation in the Bouncy Castle Java library before 1.48 and C# libr...
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Scope: local
bookworm: resolved (fixed in 1.48+dfsg-2)
bullseye: resolved (fixed in 1.48+dfsg-2)
forky: resolved (fixed in 1.48+dfsg-2)
sid: resolved (fixed in 1.48+dfsg-2)
trixie: resolved (fixed in 1.48+dfsg-2)
Debian
CVE-2013-1620: nss - The TLS implementation in Mozilla Network Security Services (NSS) does not prope...
vendor_debian·2013·CVSS 2.6
CVE-2013-1620 [LOW] CVE-2013-1620: nss - The TLS implementation in Mozilla Network Security Services (NSS) does not prope...
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Scope: local
bookworm: resolved (fixed in 2:3.14.3-1)
bullseye: resolved (fixed in 2:3.14.3-1)
forky: resolved (fixed in 2:3.14.3-1)
sid: resolved (fixed in 2:3.14.3-1)
trixie: resolved (fixed in 2:3.14.3-1)
Debian
CVE-2013-1619: gnutls28 - The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x ...
vendor_debian·2013·CVSS 2.6
CVE-2013-1619 [LOW] CVE-2013-1619: gnutls28 - The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x ...
The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Scope: local
bookworm: resolved (fixed in 3.0.22-3)
bullseye: resolved (fixed in 3.0.22-3)
forky: resolved (fixed in 3.0.22-3)
sid: resolved (fixed in 3.0.22-3)
trixie: resolved (fixed in 3.0.22-3)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-0498 CVE-2018-0497 mbedtls: Two critical flaws fixed in latest release
bugzilla·2018-08-02·CVSS 2.6
CVE-2018-0498 [LOW] CVE-2018-0498 CVE-2018-0497 mbedtls: Two critical flaws fixed in latest release
CVE-2018-0498 CVE-2018-0497 mbedtls: Two critical flaws fixed in latest release
CVE-2018-0497
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows remote
attackers to achieve partial plaintext recovery (for a CBC based ciphersuite)
via a timing-based side-channel attack. This vulnerability exists because of an
incorrect fix (with a wrong SHA-384 calculation) for CVE-2013-0169.
CVE-2018-0498
ARM mbed TLS before 2.12.0, before 2.7.5, and before 2.1.14 allows local users
to achieve partial plaintext recovery (for a CBC based ciphersuite) via a
cache-based side-channel attack.
References:
https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-02
Bugzilla
ipxe: Processing of TLS records is vulnerable to timing attacks
bugzilla·2018-01-19·CVSS 2.6
[LOW] ipxe: Processing of TLS records is vulnerable to timing attacks
ipxe: Processing of TLS records is vulnerable to timing attacks
It was found that TLS implementation iPXE is vulnerable to timing attacks when processing TLS records allowing attacker to leak the information whether integrity check failed or succeeded.
In tls_split_block(), the code returns early in case the problems with self-consistency of decrypted message arise, returning different error code in different error cases, allowing attacker to leak information either via timimng channel or based on error codes:
https://git.ipxe.org/ipxe.git/blob/fbe8c52d0d9cdb3d6f5fe8be8edab54618becc1f:/src/net/tls.c#l2220
In tls_new_ciphertext(), attacker can infer the amount of processed data which is supposed to be secret based on the amount of time it takes to process MACs:
https://git.ipxe.org/ipx
HackerOne
LUCKY13 (CVE-2013-0169) effects legalrobot.com
hackerone·2017-07-30·CVSS 2.6
CVE-2013-0169 [LOW] LUCKY13 (CVE-2013-0169) effects legalrobot.com
LUCKY13 (CVE-2013-0169) effects legalrobot.com
Hello security team,
The site legalrobot.com is potentially vulnerable to the Lucky13.
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=907589
HackerOne
SSL/TLS Vulnerability at khanacademy.org
hackerone·2017-02-22·CVSS 7.5
[HIGH] SSL/TLS Vulnerability at khanacademy.org
SSL/TLS Vulnerability at khanacademy.org
CVE - 2011 - 3389
Description :
The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
Problem Location :
https://www.khanacademy.org/
Mitigation :
The Upgrade TLS version on the server to latest stable version
CVE - 2013 - 0169 :
Description :
The TLS protocol 1.1
HackerOne
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
hackerone·2016-05-19·CVSS 2.6
CVE-2016-2107 [LOW] Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Advisory: https://www.openssl.org/news/secadv/20160503.txt
Writeup (Referencing a proof of concept): http://web-in-security.blogspot.de/2016/05/curious-padding-oracle-in-openssl-cve.html
A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.
This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.
OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should
Bugzilla
CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check
bugzilla·2016-04-28·CVSS 2.6
CVE-2016-2107 [LOW] CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check
CVE-2016-2107 openssl: Padding oracle in AES-NI CBC MAC check
Quoting form the draft of OpenSSL upstream advisory:
Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
Severity: High
A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.
This issue was introduced as part of the fix for Lucky 13 padding
attack (CVE-2013-0169). The padding check was rewritten to be in
constant time by making sure that always the same bytes are read and
compared against either the MAC or padding bytes. But it no longer
checked that there was enough data to have both the MAC and padding
bytes.
OpenSSL 1.0.2 users should upgrade to 1.0.2h
OpenSSL 1.0.1 users should upgrade to 1.0.1t
This issue was reported to OpenSSL
Bugzilla
CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
bugzilla·2014-10-15·CVSS 3.4
CVE-2014-3566 [LOW] CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
CVE-2014-3566 SSL/TLS: Padding Oracle On Downgraded Legacy Encryption attack
Bodo Möller, Thai Duong and Krzysztof Kotowicz of Google discovered a flaw in the design of SSL version 3.0 that would allow an attacker to calculate the plaintext of secure connections, allowing, for example, secure HTTP cookies to be stolen.
References:
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
Discussion:
Knowledgebase article:
https://access.redhat.com/articles/1232123
To mitigate this vulnerability, it is recommended that you explicitly disable SSLv3.0 in all affected packages. Additional instructions to do this for each affected package, as well as updates that disable SSLv3.0 by default, are being developed by
Bugzilla
CVE-2013-0169 CVE-2012-4929 mingw32-openssl various flaws [epel-5]
bugzilla·2013-03-12·CVSS 2.6
CVE-2013-0169 [LOW] CVE-2013-0169 CVE-2012-4929 mingw32-openssl various flaws [epel-5]
CVE-2013-0169 CVE-2012-4929 mingw32-openssl various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-5 tracking bug for mingw32-o
Bugzilla
CVE-2013-0169 CVE-2013-0169 CVE-2012-4929 mingw-openssl various flaws [fedora-all]
bugzilla·2013-03-12·CVSS 2.6
CVE-2013-0169 [LOW] CVE-2013-0169 CVE-2013-0169 CVE-2012-4929 mingw-openssl various flaws [fedora-all]
CVE-2013-0169 CVE-2013-0169 CVE-2012-4929 mingw-openssl various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issu
Bugzilla
CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13)
bugzilla·2013-02-06·CVSS 4.0
CVE-2013-1619 [MEDIUM] CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13)
CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13)
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported. This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection, when CBC-mode encryption is used.
This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations). As such, it affects all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks. All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.
The paper indicates that with
Bugzilla
CVE-2013-1621 polarssl: out-of-bounds comparison flaw leads to DoS
bugzilla·2013-02-06·CVSS 2.6
CVE-2013-1621 [LOW] CVE-2013-1621 polarssl: out-of-bounds comparison flaw leads to DoS
CVE-2013-1621 polarssl: out-of-bounds comparison flaw leads to DoS
In addition to the fix for CVE-2013-0169, PolarSSL 1.2.5 corrects the following problem:
"PolarSSL ... The code does not sanity check padlen before running
the padding check, meaning that out-of-bounds comparisons may be
made" (a possible denial-of-service issue for some applications)
Discussion:
Created polarssl tracking bugs for this issue
Affects: fedora-all [bug 907982]
Bugzilla
CVE-2013-0169 CVE-2013-1621 CVE-2013-1622 polarssl various flaws [fedora-all]
bugzilla·2013-02-05·CVSS 2.6
CVE-2013-0169 [LOW] CVE-2013-0169 CVE-2013-1621 CVE-2013-1622 polarssl various flaws [fedora-all]
CVE-2013-0169 CVE-2013-1621 CVE-2013-1622 polarssl various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue aff
Bugzilla
CVE-2012-2686 openssl: DoS due to improper handling of CBC ciphersuites in TLS 1.1/1.2 on AES-NI supporting platforms
bugzilla·2013-02-05·CVSS 5.0
CVE-2012-2686 [MEDIUM] CVE-2012-2686 openssl: DoS due to improper handling of CBC ciphersuites in TLS 1.1/1.2 on AES-NI supporting platforms
CVE-2012-2686 openssl: DoS due to improper handling of CBC ciphersuites in TLS 1.1/1.2 on AES-NI supporting platforms
A flaw in the OpenSSL handling of CBC ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI (Advanced Encryption Standard New Instructions) supporting platforms [1] can be exploited in a DoS attack.
Anyone using an AES-NI platform for TLS 1.2 or TLS 1.1 on OpenSSL 1.0.1c is affected. Platforms which do not support AES-NI or versions of OpenSSL which do not implement TLS 1.2 or 1.1 (for example OpenSSL 0.9.8 and 1.0.0) are not affected.
[1] http://en.wikipedia.org/wiki/AES-NI#Supporting_CPUs
External References:
http://www.openssl.org/news/secadv_20130205.txt
Discussion:
Statement:
Not vulnerable. This issue did not affect the versions of OpenSSL as shipped with Red Hat Ent
Bugzilla
CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
bugzilla·2013-02-04·CVSS 2.6
CVE-2013-0169 [LOW] CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported. This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection, when CBC-mode encryption is used.
This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations). As such, it affects all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks. All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.
The paper indicates that with Ope
arXiv
Protecting Cryptographic Libraries against Side-Channel and Code-Reuse Attacks
arxiv_fulltext·2024-12-26
Protecting Cryptographic Libraries against Side-Channel and Code-Reuse Attacks
Protecting Cryptographic Libraries against Side-Channel and
Code-Reuse Attacks
Rodothea Myrsini Tsoupidi, [email protected]
Independent Researcher^*, Stockholm, Sweden
Elena Troubitsyna, [email protected]
KTH Royal Institute of Technology, Stockholm, Sweden
Panos Papadimitratos, [email protected]
KTH Royal Institute of Technology, Stockholm, Sweden
THEME/FEATURE/DEPARTMENTTHEME/FEATURE/DEPARTMENT
## Abstract
-1
Cryptographic libraries, an essential part of cybersecurity, are shown
to be susceptible to different types of attacks, including
side-channel and memory-corruption attacks.
In this article, we examine popular cryptographic libraries in terms
of the security measures they implement, pinpoint security
vulnerabilities, and suggest security improvements in their
development process.\
arXiv
Empirical Analysis of Software Vulnerabilities Causing Timing Side Channels
arxiv_fulltext·2023-08-23
Empirical Analysis of Software Vulnerabilities Causing Timing Side Channels
Empirical Analysis of Software Vulnerabilities Causing Timing Side Channels
M. Mehdi Kholoosi12,
M. Ali Babar12,
Cemal Yilmaz3
1 School of Computer Science, CREST, The University of Adelaide, Adelaide, Australia
2 Cyber Security Cooperative Research Centre, Australia
3 Faculty of Engineering and Natural Sciences, Sabanci University, Istanbul, 34956, Turkey
Emails: [email protected], [email protected], [email protected]
## Abstract
Timing attacks are considered one of the most damaging side-channel attacks. These attacks exploit timing fluctuations caused by certain operations to disclose confidential information to an attacker. For instance, in asymmetric encryption, operations such as multiplication and division can cause time-varying execution times th
arXiv
Secure by default - the case of TLS
arxiv_fulltext·2017-08-24
Secure by default - the case of TLS
Secure by default -- the case of TLS
Martin Stanek \ 1ex]
Department of Computer Science
Comenius University
@dcs.fmph.uniba.sk
## Abstract
Default configuration of various software applications often neglects security objectives.
We tested the default configuration of TLS in dozen web and application servers.
The results show that ``secure by default'' principle should be adopted more broadly
by developers and package maintainers. In addition, system administrators cannot
rely blindly on default security options.
: TLS, secure defaults, testing.
## Introduction
Security often depends on prudent configuration of software components used in a deployed
system. All necessary security controls and options are there, but one have
to turn them on or simply start using them. Unfortunately
RFC
Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)
rfc·2015-02-01
Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)
Internet Engineering Task Force (IETF) Y. Sheffer
Request for Comments: 7457 Porticor
Category: Informational R. Holz
ISSN: 2070-1721 Technische Universitaet Muenchen
P. Saint-Andre
&yet
February 2015
Summarizing Known Attacks on Transport Layer Security (TLS)
and Datagram TLS (DTLS)
Abstract
Over the last few years, there have been several serious attacks on
Transport Layer Security (TLS), including attacks on its most
commonly used ciphers and modes of operation. This document
summarizes these attacks, with the goal of motivating generic and
protocol-specific recommendations on the usage of TLS and Datagram
TLS (DTLS).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the In
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://marc.info/?l=bugtraq&m=136396549913849&w=2http://marc.info/?l=bugtraq&m=136432043316835&w=2http://marc.info/?l=bugtraq&m=136439120408139&w=2http://marc.info/?l=bugtraq&m=136733161405818&w=2http://marc.info/?l=bugtraq&m=137545771702053&w=2http://openwall.com/lists/oss-security/2013/02/05/24http://rhn.redhat.com/errata/RHSA-2013-0587.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0782.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0783.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0833.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1455.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1456.htmlhttp://secunia.com/advisories/53623http://secunia.com/advisories/55108http://secunia.com/advisories/55139http://secunia.com/advisories/55322http://secunia.com/advisories/55350http://secunia.com/advisories/55351http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://support.apple.com/kb/HT5880http://www-01.ibm.com/support/docview.wss?uid=swg21644047http://www.debian.org/security/2013/dsa-2621http://www.debian.org/security/2013/dsa-2622http://www.isg.rhul.ac.uk/tls/TLStiming.pdfhttp://www.kb.cert.org/vuls/id/737740http://www.mandriva.com/security/advisories?name=MDVSA-2013:095http://www.matrixssl.org/news.htmlhttp://www.openssl.org/news/secadv_20130204.txthttp://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.htmlhttp://www.securityfocus.com/bid/57778http://www.securitytracker.com/id/1029190http://www.splunk.com/view/SP-CAAAHXGhttp://www.ubuntu.com/usn/USN-1735-1http://www.us-cert.gov/cas/techalerts/TA13-051A.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdfhttps://lists.debian.org/debian-lts-announce/2018/09/msg00029.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608https://polarssl.org/tech-updates/releases/polarssl-1.2.5-releasedhttps://puppet.com/security/cve/cve-2013-0169https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlhttp://marc.info/?l=bugtraq&m=136396549913849&w=2http://marc.info/?l=bugtraq&m=136432043316835&w=2http://marc.info/?l=bugtraq&m=136439120408139&w=2http://marc.info/?l=bugtraq&m=136733161405818&w=2http://marc.info/?l=bugtraq&m=137545771702053&w=2http://openwall.com/lists/oss-security/2013/02/05/24http://rhn.redhat.com/errata/RHSA-2013-0587.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0782.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0783.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0833.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1455.htmlhttp://rhn.redhat.com/errata/RHSA-2013-1456.htmlhttp://secunia.com/advisories/53623http://secunia.com/advisories/55108http://secunia.com/advisories/55139http://secunia.com/advisories/55322http://secunia.com/advisories/55350http://secunia.com/advisories/55351http://security.gentoo.org/glsa/glsa-201406-32.xmlhttp://support.apple.com/kb/HT5880http://www-01.ibm.com/support/docview.wss?uid=swg21644047http://www.debian.org/security/2013/dsa-2621http://www.debian.org/security/2013/dsa-2622http://www.isg.rhul.ac.uk/tls/TLStiming.pdfhttp://www.kb.cert.org/vuls/id/737740http://www.mandriva.com/security/advisories?name=MDVSA-2013:095http://www.matrixssl.org/news.htmlhttp://www.openssl.org/news/secadv_20130204.txthttp://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.htmlhttp://www.securityfocus.com/bid/57778http://www.securitytracker.com/id/1029190http://www.splunk.com/view/SP-CAAAHXGhttp://www.ubuntu.com/usn/USN-1735-1http://www.us-cert.gov/cas/techalerts/TA13-051A.htmlhttps://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf
+ 10 more references
2013-02-08
Published