Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2003-0147

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2003-0147
Last Modified 07 Mar 2011 09:12:12
Published 31 Mar 2003 12:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2003-0147

Summary

OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).

Vulnerable Systems

Application

  • Openpkg

  • Openpkg 1.1

  • Openpkg 1.2

  • Openssl 0.9.6

  • Openssl 0.9.6a

  • Openssl 0.9.6b

  • Openssl 0.9.6c

  • Openssl 0.9.6d

  • Openssl 0.9.6e

  • Openssl 0.9.6g

  • Openssl 0.9.6h

  • Openssl 0.9.6i

  • Openssl 0.9.7

  • Openssl 0.9.7a

  • Stunnel 3.10

  • Stunnel 3.11

  • Stunnel 3.12

  • Stunnel 3.13

  • Stunnel 3.14

  • Stunnel 3.15

  • Stunnel 3.16

  • Stunnel 3.17

  • Stunnel 3.18

  • Stunnel 3.19

  • Stunnel 3.20

  • Stunnel 3.21

  • Stunnel 3.22

  • Stunnel 3.7

  • Stunnel 3.8

  • Stunnel 3.9

  • Stunnel 4.0

  • Stunnel 4.01

  • Stunnel 4.02

  • Stunnel 4.03

  • Stunnel 4.04


References

CERT-VN - VU#997481

BUGTRAQ - 20030327 Immunix Secured OS 7+ openssl update

BUGTRAQ - 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL

REDHAT - RHSA-2003:102

REDHAT - RHSA-2003:101

CONFIRM - http://www.openssl.org/news/secadv_20030317.txt

MANDRAKE - MDKSA-2003:035

DEBIAN - DSA-288

BUGTRAQ - 20030317 [ADVISORY] Timing Attack on OpenSSL

BUGTRAQ - 20030313 Vulnerability in OpenSSL

MISC - http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf

VULNWATCH - 20030313 OpenSSL Private Key Disclosure

SGI - 20030501-01-I

IMMUNIX - IMNX-2003-7+-001-01

OPENPKG - OpenPKG-SA-2003.019

GENTOO - GLSA-200303-23

GENTOO - GLSA-200303-24

GENTOO - GLSA-200303-15

BUGTRAQ - 20030320 [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl)

CONECTIVA - CLA-2003:625

CALDERA - CSSA-2003-014.0

APPLE - APPLE-SA-2003-03-24


Last Updated: 27 May 2016 11:02:28