Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2013-1624

Overview

Vulnerability Score 4.0 4.0
CVE Id CVE-2013-1624
Last Modified 19 Apr 2014 12:33:56
Published 08 Feb 2013 02:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity HIGH
Authentication NONE

CVE-2013-1624

Summary

The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Vulnerable Systems

Application

  • Bouncycastle Legion-of-the-bouncy-castle-c%23-crytography-api 0.0

  • Bouncycastle Legion-of-the-bouncy-castle-c%23-crytography-api 1.0

  • Bouncycastle Legion-of-the-bouncy-castle-c%23-crytography-api 1.1

  • Bouncycastle Legion-of-the-bouncy-castle-c%23-crytography-api 1.2

  • Bouncycastle Legion-of-the-bouncy-castle-c%23-crytography-api 1.3

  • Bouncycastle Legion-of-the-bouncy-castle-c%23-crytography-api 1.4

  • Bouncycastle Legion-of-the-bouncy-castle-c%23-crytography-api 1.5

  • Bouncycastle Legion-of-the-bouncy-castle-c%23-crytography-api 1.6.1

  • Bouncycastle Legion-of-the-bouncy-castle-c%23-crytography-api 1.7

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.01

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.02

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.03

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.04

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.05

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.06

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.07

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.08

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.09

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.10

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.11

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.12

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.13

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.14

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.15

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.16

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.17

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.18

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.19

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.20

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.21

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.22

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.23

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.24

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.25

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.26

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.27

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.28

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.29

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.30

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.31

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.32

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.33

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.34

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.35

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.36

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.37

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.38

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.39

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.40

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.41

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.42

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.43

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.44

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.45

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.46

  • Bouncycastle Legion-of-the-bouncy-castle-java-crytography-api 1.47


References

MISC - http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

MLIST - [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations

SECUNIA - 57719

SECUNIA - 57716

REDHAT - RHSA-2014:0372

REDHAT - RHSA-2014:0371


Last Updated: 27 May 2016 11:01:50