Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-1620

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2013-1620
Last Modified 14 Apr 2015 09:59:34
Published 08 Feb 2013 02:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2013-1620

Summary

The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Vulnerable Systems

Application

  • Mozilla Network Security Services


References

MISC - http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

MLIST - [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations

UBUNTU - USN-1763-1

SUSE - openSUSE-SU-2013:0630

SUSE - openSUSE-SU-2013:0631

REDHAT - RHSA-2013:1144

REDHAT - RHSA-2013:1135

BID - 64758

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

GENTOO - GLSA-201406-19

CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html

BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

BUGTRAQ - 20150402 NEW : VMSA-2015-0003 VMware product updates address critical information disclosure issue in JRE

MISC - http://packetstormsecurity.com/files/131271/VMware-Security-Advisory-2015-0003.html


Last Updated: 27 May 2016 10:35:28