Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-1623

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2013-1623
Last Modified 20 Feb 2014 11:58:17
Published 08 Feb 2013 02:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2013-1623

Summary

The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Vulnerable Systems

Application

  • Cyassl 0.2.0

  • Cyassl 0.3.0

  • Cyassl 0.4.0

  • Cyassl 0.5.0

  • Cyassl 0.5.5

  • Cyassl 0.6.0

  • Cyassl 0.6.2

  • Cyassl 0.6.3

  • Cyassl 0.8.0

  • Cyassl 0.9.0

  • Cyassl 0.9.6

  • Cyassl 0.9.8

  • Cyassl 0.9.9

  • Cyassl 1.0.0

  • Cyassl 1.0.2

  • Cyassl 1.0.3

  • Cyassl 1.0.6

  • Cyassl 1.1.0

  • Cyassl 1.2.0

  • Cyassl 1.3.0

  • Cyassl 1.4.0

  • Cyassl 1.5.0

  • Cyassl 1.5.4

  • Cyassl 1.5.6

  • Cyassl 1.6.0

  • Cyassl 1.6.5

  • Cyassl 1.8.0

  • Cyassl 1.9.0

  • Cyassl 2.0.0

  • Cyassl 2.0.2

  • Cyassl 2.0.6

  • Cyassl 2.0.8

  • Cyassl 2.2.0

  • Cyassl 2.3.0

  • Cyassl 2.4.0

  • Cyassl 2.4.6


References

CONFIRM - http://www.yassl.com/yaSSL/Blog/Entries/2013/2/5_WolfSSL%2C_provider_of_CyaSSL_Embedded_SSL%2C_releases_first_embedded_TLS_and_DTLS_protocol_fix_for_Lucky_Thirteen_Attack.html

MISC - http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

MLIST - [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations

GENTOO - GLSA-201308-06

SECUNIA - 53372


Last Updated: 27 May 2016 11:01:50