Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-1622

Overview

Vulnerability Score 4.0 4.0
CVE Id CVE-2013-1622
Last Modified 10 Feb 2013 03:00:00
Published 08 Feb 2013 05:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2013-1622

Summary

The SSL module in PolarSSL before 1.2.5, when TLS alert messages for decryption errors are enabled, omits a required MAC check during the processing of malformed CBC data in a TLS session, which allows remote attackers to conduct distinguishing attacks via statistical analysis of timing side-channel data for crafted packets, a different vulnerability than CVE-2013-0169.

Vulnerable Systems

Application

  • Polarssl 0.10.0

  • Polarssl 0.10.1

  • Polarssl 0.11.0

  • Polarssl 0.11.1

  • Polarssl 0.12.0

  • Polarssl 0.12.1

  • Polarssl 0.13.1

  • Polarssl 0.14.0

  • Polarssl 0.14.2

  • Polarssl 0.14.3

  • Polarssl 0.99

  • Polarssl 1.0.0

  • Polarssl 1.1.0

  • Polarssl 1.1.1

  • Polarssl 1.1.2

  • Polarssl 1.1.3

  • Polarssl 1.1.4

  • Polarssl 1.1.5

  • Polarssl 1.2.0

  • Polarssl 1.2.1

  • Polarssl 1.2.2

  • Polarssl 1.2.3

  • Polarssl 1.2.4


References

CONFIRM - https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released

MISC - http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

MLIST - [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations


Last Updated: 27 May 2016 11:01:50