exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 26 - 45 of 45 RSS Feed

CVE-2013-0169

Status Candidate

Overview

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

Related Files

HP Security Bulletin HPSBUX02857 SSRT101103
Posted Mar 27, 2013
Authored by HP | Site hp.com

HP Security Bulletin HPSBUX02857 SSRT101103 - Potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other exploits. Revision 1 of this advisory.

tags | advisory, java, remote, vulnerability
systems | hpux
advisories | CVE-2012-1541, CVE-2012-3213, CVE-2012-3342, CVE-2013-0169, CVE-2013-0351, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0437, CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0445, CVE-2013-0446
SHA-256 | 6892130ed5ebb8b6ff22fb91977bf86f18307a331290e7af9035764ba196688e
HP Security Bulletin HPSBOV02852 SSRT101108
Posted Mar 27, 2013
Authored by HP | Site hp.com

HP Security Bulletin HPSBOV02852 SSRT101108 - Potential security vulnerabilities have been identified in HP SSL for OpenVMS. These vulnerabilities could allow remote Denial of Service (DoS), unauthorized disclosure of information, unauthorized modification. Revision 1 of this advisory.

tags | advisory, remote, denial of service, vulnerability
advisories | CVE-2012-2333, CVE-2013-0166, CVE-2013-0169
SHA-256 | cb5cb5dfdeca2640750b4857366f5e36f9ac5ae17d59f19e92b7294ff275963c
Ubuntu Security Notice USN-1732-3
Posted Mar 25, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1732-3 - USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0169 and CVE-2012-2686 was reverted in USN-1732-2 because of a regression. This update restores the security fix, and includes an extra fix from upstream to address the AES-NI regression. Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10. Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the "Lucky Thirteen" issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data.

tags | advisory, remote, denial of service, vulnerability, protocol
systems | linux, ubuntu
advisories | CVE-2012-2686, CVE-2013-0169, CVE-2013-0169
SHA-256 | 714d0b8055324fad3bfe313fe9719e788dc74886687fb2bdee9de630373218b6
HP Security Bulletin HPSBUX02856 SSRT101104
Posted Mar 22, 2013
Authored by HP | Site hp.com

HP Security Bulletin HPSBUX02856 SSRT101104 - Potential security vulnerabilities have been identified with HP-UX OpenSSL. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or allow unauthorized disclosure of information. Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability
systems | hpux
advisories | CVE-2013-0166, CVE-2013-0169
SHA-256 | 9917a432965b1459a3758cf6c669fbe20c9d2348e5edcfdba51ca85b607708f2
Red Hat Security Advisory 2013-0636-01
Posted Mar 13, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0636-01 - The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. A flaw was found in the way QEMU-KVM emulated the e1000 network interface card when the host was configured to accept jumbo network frames, and a guest using the e1000 emulated driver was not. A remote attacker could use this flaw to crash the guest or, potentially, execute arbitrary code with root privileges in the guest.

tags | advisory, remote, arbitrary, root
systems | linux, redhat
advisories | CVE-2012-4929, CVE-2012-6075, CVE-2013-0166, CVE-2013-0169, CVE-2013-1619
SHA-256 | b9a7ef0ff18dd828c5d57c86d14d909fe246d0a7a1f774fcff12bfc8e24254c1
Mandriva Linux Security Advisory 2013-018
Posted Mar 7, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-018 - OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key. The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the Lucky Thirteen issue. The updated packages have been patched to correct these issues.

tags | advisory, remote, denial of service, protocol
systems | linux, mandriva
advisories | CVE-2013-0166, CVE-2013-0169
SHA-256 | bf5ab5e72a351205b935141e568c6333cdff26e500e2d5c8d2254663a10fe424
Red Hat Security Advisory 2013-0587-01
Posted Mar 4, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0587-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response.

tags | advisory, remote, protocol
systems | linux, redhat
advisories | CVE-2012-4929, CVE-2013-0166, CVE-2013-0169
SHA-256 | b7d903807077f42489738c10fa1a2c73c8a13a97971c0e95a3061b959469a1d6
Ubuntu Security Notice USN-1732-2
Posted Feb 28, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1732-2 - USN-1732-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2013-0166 and CVE-2012-2686 introduced a regression causing decryption failures on hardware supporting AES-NI. This update temporarily reverts the security fix pending further investigation. Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10. Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the "Lucky Thirteen" issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data. Various other issues were also addressed.

tags | advisory, remote, denial of service, vulnerability, protocol
systems | linux, ubuntu
advisories | CVE-2012-2686, CVE-2013-0169
SHA-256 | 2367bcc3d45834f284f828f0ff2c01105eb0f564e86bef545dbb3c3941c12cd7
Mandriva Linux Security Advisory 2013-014
Posted Feb 25, 2013
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2013-014 - Multiple security issues were identified and fixed in OpenJDK. MBeanServer access restrictions were added, improved TLS handling of invalid messages, and more.

tags | advisory
systems | linux, mandriva
advisories | CVE-2013-0169, CVE-2013-1486, CVE-2013-1487
SHA-256 | 8ac40eb4b2ce07209ddf331559853b548ca985e61c74804dcf0ddfa8c2e80994
Ubuntu Security Notice USN-1735-1
Posted Feb 22, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1735-1 - Nadhem Alfardan and Kenny Paterson discovered that the TLS protocol as used in OpenSSL was vulnerable to a timing side-channel attack known as the "Lucky Thirteen" issue. A remote attacker could use this issue to perform plaintext-recovery attacks via analysis of timing data. A vulnerability was discovered in the OpenJDK JRE related to information disclosure and data integrity. An attacker could exploit this to cause a denial of service. This issue only affected Ubuntu 12.10. Various other issues were also addressed.

tags | advisory, remote, denial of service, protocol, info disclosure
systems | linux, ubuntu
advisories | CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486, CVE-2013-1487
SHA-256 | 2261cb93a882de20b7e4c81f5368c093e6bdc017b92efb2dc8c82925d609cdd8
Ubuntu Security Notice USN-1732-1
Posted Feb 21, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1732-1 - Adam Langley and Wolfgang Ettlingers discovered that OpenSSL incorrectly handled certain crafted CBC data when used with AES-NI. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 12.10. Stephen Henson discovered that OpenSSL incorrectly performed signature verification for OCSP responses. A remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service. Various other issues were also addressed.

tags | advisory, remote, denial of service
systems | linux, ubuntu
advisories | CVE-2012-2686, CVE-2013-0166, CVE-2013-0169, CVE-2012-2686, CVE-2013-0166, CVE-2013-0169
SHA-256 | 3840d7b0427c8c47a692ec2a92d448203e10c63f63d934450bf70540d9f0574d
Red Hat Security Advisory 2013-0532-01
Posted Feb 21, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0532-01 - Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes several vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. All users of java-1.7.0-oracle are advised to upgrade to these updated packages, which provide Oracle Java 7 Update 15 and resolve these issues. All running instances of Oracle Java must be restarted for the update to take effect.

tags | advisory, java, vulnerability
systems | linux, redhat
advisories | CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486, CVE-2013-1487
SHA-256 | 715f873e25410bc468e412c2a033bb64beb683efec1499c2641f64dcbd2dd75b
Red Hat Security Advisory 2013-0531-01
Posted Feb 21, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0531-01 - Oracle Java SE version 6 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update fixes three vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide Oracle Java 6 Update 41. All running instances of Oracle Java must be restarted for the update to take effect.

tags | advisory, java, vulnerability
systems | linux, redhat
advisories | CVE-2013-0169, CVE-2013-1486, CVE-2013-1487
SHA-256 | 02aadfa81bfc8c12143738a124655e974f4700f9e9aebca7ab5638be2cd5ef43
Red Hat Security Advisory 2013-0275-01
Posted Feb 20, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0275-01 - These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. Multiple improper permission check issues were discovered in the JMX and Libraries components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. An improper permission check issue was discovered in the Libraries component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.

tags | advisory, java
systems | linux, redhat
advisories | CVE-2013-0169, CVE-2013-1484, CVE-2013-1485, CVE-2013-1486
SHA-256 | 158967611fc416ac990e91ac6875a316e09285ecee34a665570603958dc51cd6
Red Hat Security Advisory 2013-0274-01
Posted Feb 20, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0274-01 - These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. An improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.

tags | advisory, java, remote, protocol
systems | linux, redhat
advisories | CVE-2013-0169, CVE-2013-1486
SHA-256 | 1c3483b62f9201a000a9a33304c470c2728d668d5254f683b0d4d35038b7b433
Red Hat Security Advisory 2013-0273-01
Posted Feb 20, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0273-01 - These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. An improper permission check issue was discovered in the JMX component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. It was discovered that OpenJDK leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle.

tags | advisory, java, remote, protocol
systems | linux, redhat
advisories | CVE-2013-0169, CVE-2013-1486
SHA-256 | d539e4d6911cdc8f6a178ebfda088502cb56aa31e26189bdf1c710612c289877
Debian Security Advisory 2621-1
Posted Feb 13, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2621-1 - Multiple vulnerabilities have been found in OpenSSL.

tags | advisory, vulnerability
systems | linux, debian
advisories | CVE-2013-0166, CVE-2013-0169
SHA-256 | 2edf157c157d9f2e572bdf6653f44a0fe8f8a2c7e27d71ebfe74465d6160240d
Debian Security Advisory 2622-1
Posted Feb 13, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2622-1 - Multiple vulnerabilities have been found in OpenSSL.

tags | advisory, vulnerability
systems | linux, debian
advisories | CVE-2013-0169, CVE-2013-1621, CVE-2013-1622
SHA-256 | 7c11e7c98219b8e7ba457443970b43654e7b8453e02ee38225e2316ed94e4071
Slackware Security Advisory - OpenSSL Updates
Posted Feb 13, 2013
Authored by Slackware Security Team | Site slackware.com

Slackware Security Advisory - New openssl packages are available for Slackware 14.0, and -current to fix a bug in openssl-1.0.1d.

tags | advisory
systems | linux, slackware
advisories | CVE-2013-0169
SHA-256 | f9e5e42a57b7eb11448cca362f0d424b185e23c6b8675628e3a52f3613c5e9a0
OpenSSL Security Advisory 20130205
Posted Feb 5, 2013
Site openssl.org

OpenSSL Security Advisory 20130205 - Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing differences arising during MAC processing. Other issues have also been addressed.

tags | advisory
advisories | CVE-2012-2686, CVE-2013-0166, CVE-2013-0169
SHA-256 | 9c4459b12d23541849b3b7bba6f0980bf73c7efd0715788c8712fa8d0e9388ee
Page 2 of 2
Back12Next

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close