Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-1619

Overview

Vulnerability Score 4.0 4.0
CVE Id CVE-2013-1619
Last Modified 26 Mar 2014 12:46:17
Published 08 Feb 2013 02:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2013-1619

Summary

The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Vulnerable Systems

Application

  • Gnutls 2.0.0

  • Gnutls 2.0.1

  • Gnutls 2.0.2

  • Gnutls 2.0.3

  • Gnutls 2.0.4

  • Gnutls 2.1.0

  • Gnutls 2.1.1

  • Gnutls 2.1.2

  • Gnutls 2.1.3

  • Gnutls 2.1.4

  • Gnutls 2.1.5

  • Gnutls 2.1.6

  • Gnutls 2.1.7

  • Gnutls 2.1.8

  • Gnutls 2.10.0

  • Gnutls 2.10.1

  • Gnutls 2.10.2

  • Gnutls 2.10.3

  • Gnutls 2.10.4

  • Gnutls 2.10.5

  • Gnutls 2.12.0

  • Gnutls 2.12.1

  • Gnutls 2.12.10

  • Gnutls 2.12.11

  • Gnutls 2.12.12

  • Gnutls 2.12.13

  • Gnutls 2.12.14

  • Gnutls 2.12.15

  • Gnutls 2.12.16

  • Gnutls 2.12.17

  • Gnutls 2.12.18

  • Gnutls 2.12.19

  • Gnutls 2.12.2

  • Gnutls 2.12.20

  • Gnutls 2.12.21

  • Gnutls 2.12.22

  • Gnutls 2.12.3

  • Gnutls 2.12.4

  • Gnutls 2.12.5

  • Gnutls 2.12.6

  • Gnutls 2.12.6.1

  • Gnutls 2.12.7

  • Gnutls 2.12.8

  • Gnutls 2.12.9

  • Gnutls 2.2.0

  • Gnutls 2.2.1

  • Gnutls 2.2.2

  • Gnutls 2.2.3

  • Gnutls 2.2.4

  • Gnutls 2.2.5

  • Gnutls 2.3.0

  • Gnutls 2.3.1

  • Gnutls 2.3.10

  • Gnutls 2.3.11

  • Gnutls 2.3.2

  • Gnutls 2.3.3

  • Gnutls 2.3.4

  • Gnutls 2.3.5

  • Gnutls 2.3.6

  • Gnutls 2.3.7

  • Gnutls 2.3.8

  • Gnutls 2.3.9

  • Gnutls 2.4.0

  • Gnutls 2.4.1

  • Gnutls 2.4.2

  • Gnutls 2.4.3

  • Gnutls 2.5.0

  • Gnutls 2.6.0

  • Gnutls 2.6.1

  • Gnutls 2.6.2

  • Gnutls 2.6.3

  • Gnutls 2.6.4

  • Gnutls 2.6.5

  • Gnutls 2.6.6

  • Gnutls 2.7.4

  • Gnutls 2.8.0

  • Gnutls 2.8.1

  • Gnutls 2.8.2

  • Gnutls 2.8.3

  • Gnutls 2.8.4

  • Gnutls 2.8.5

  • Gnutls 2.8.6

  • Gnutls 3.0

  • Gnutls 3.0.0

  • Gnutls 3.0.1

  • Gnutls 3.0.10

  • Gnutls 3.0.11

  • Gnutls 3.0.12

  • Gnutls 3.0.13

  • Gnutls 3.0.14

  • Gnutls 3.0.15

  • Gnutls 3.0.16

  • Gnutls 3.0.17

  • Gnutls 3.0.18

  • Gnutls 3.0.19

  • Gnutls 3.0.2

  • Gnutls 3.0.20

  • Gnutls 3.0.21

  • Gnutls 3.0.22

  • Gnutls 3.0.23

  • Gnutls 3.0.24

  • Gnutls 3.0.25

  • Gnutls 3.0.26

  • Gnutls 3.0.27

  • Gnutls 3.0.3

  • Gnutls 3.0.4

  • Gnutls 3.0.5

  • Gnutls 3.0.6

  • Gnutls 3.0.7

  • Gnutls 3.0.8

  • Gnutls 3.0.9

  • Gnutls 3.1.0

  • Gnutls 3.1.1

  • Gnutls 3.1.2

  • Gnutls 3.1.3

  • Gnutls 3.1.4

  • Gnutls 3.1.5

  • Gnutls 3.1.6


References

CONFIRM - https://gitorious.org/gnutls/gnutls/commit/b8391806cd79095fe566f2401d8c7ad85a64b198

CONFIRM - https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0

MISC - http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

CONFIRM - http://www.gnutls.org/security.html#GNUTLS-SA-2013-1

MLIST - [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations

CONFIRM - http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html

UBUNTU - USN-1752-1

REDHAT - RHSA-2013:0588

SUSE - openSUSE-SU-2013:0807

SUSE - openSUSE-SU-2014:0346

SUSE - SUSE-SU-2014:0322

SUSE - SUSE-SU-2014:0320

SECUNIA - 57274

SECUNIA - 57260

Related Patches

Red Hat 2013:0588-01 RHSA Moderate: gnutls security update for RHEL 5 x86

Novell SUSE 2013:7660 gnutls security update for SLE 11 SP2 i586

Novell SUSE 2013:7660 gnutls security update for SLE 11 SP2 x86_64

Novell SUSE 2013:8554 gnutls security update for SLE 10 SP4 i586

Novell SUSE 2013:8554 gnutls security update for SLE 10 SP4 x86_64


Last Updated: 27 May 2016 11:01:50