Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2003-0078

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2003-0078
Last Modified 10 Sep 2008 08:05:47
Published 03 Mar 2003 12:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2003-0078

Summary

ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."

Vulnerable Systems

Operating System

  • Freebsd 4.2

  • Freebsd 4.3

  • Freebsd 4.4

  • Freebsd 4.5

  • Freebsd 4.6

  • Freebsd 4.7

  • Freebsd 4.8

  • Freebsd 5.0

  • Openbsd 3.1

  • Openbsd 3.2

Application

  • Openssl 0.9.1c

  • Openssl 0.9.2b

  • Openssl 0.9.3

  • Openssl 0.9.4

  • Openssl 0.9.5

  • Openssl 0.9.5a

  • Openssl 0.9.6

  • Openssl 0.9.6a

  • Openssl 0.9.6b

  • Openssl 0.9.6c

  • Openssl 0.9.6d

  • Openssl 0.9.6e

  • Openssl 0.9.6g

  • Openssl 0.9.6h

  • Openssl 0.9.7


References

CONFIRM - http://www.openssl.org/news/secadv_20030219.txt

BUGTRAQ - 20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl)

XF - ssl-cbc-information-leak(11369)

DEBIAN - DSA-253

TRUSTIX - 2003-0005

BID - 6884

REDHAT - RHSA-2003:205

REDHAT - RHSA-2003:104

REDHAT - RHSA-2003:082

REDHAT - RHSA-2003:063

REDHAT - RHSA-2003:062

OSVDB - 3945

MANDRAKE - MDKSA-2003:020

ENGARDE - ESA-20030220-005

CIAC - N-051

GENTOO - GLSA-200302-10

BUGTRAQ - 20030219 OpenSSL 0.9.7a and 0.9.6i released

CONECTIVA - CLSA-2003:570

SGI - 20030501-01-I

NETBSD - NetBSD-SA2003-001


Last Updated: 27 May 2016 10:37:46