CVE-2013-0169
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Published at
2013-02-08T19:55Z
4118 days ago
Modified
2023-05-12T12:58Z
373 days ago
CWE-310
Problem type
References
GET https://vulnerabilitydata.com/api/details/CVE-2013-0169
{
"id": "CVE-2013-0169",
"published_date": "2013-02-08T19:55Z",
"last_modified_date": "2023-05-12T12:58Z",
"assigner": "secalert@redhat.com",
"description": "The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the \"Lucky Thirteen\" issue.",
"references": [
{
"url": "http://www.openssl.org/news/secadv_20130204.txt",
"name": "http://www.openssl.org/news/secadv_20130204.txt",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
]
},
{
"url": "https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released",
"name": "https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
]
},
{
"url": "http://openwall.com/lists/oss-security/2013/02/05/24",
"name": "[oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations",
"refsource": "MLIST",
"tags": [
"Mailing List"
]
},
{
"url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
"name": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.matrixssl.org/news.html",
"name": "http://www.matrixssl.org/news.html",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html",
"name": "http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.ubuntu.com/usn/USN-1735-1",
"name": "USN-1735-1",
"refsource": "UBUNTU",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html",
"name": "openSUSE-SU-2013:0375",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.debian.org/security/2013/dsa-2621",
"name": "DSA-2621",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html",
"name": "SUSE-SU-2013:0328",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://rhn.redhat.com/errata/RHSA-2013-0587.html",
"name": "RHSA-2013:0587",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.debian.org/security/2013/dsa-2622",
"name": "DSA-2622",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html",
"name": "openSUSE-SU-2013:0378",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.us-cert.gov/cas/techalerts/TA13-051A.html",
"name": "TA13-051A",
"refsource": "CERT",
"tags": [
"Third Party Advisory",
"US Government Resource"
]
},
{
"url": "http://rhn.redhat.com/errata/RHSA-2013-0783.html",
"name": "RHSA-2013:0783",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://marc.info/?l=bugtraq&m=136396549913849&w=2",
"name": "HPSBUX02856",
"refsource": "HP",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://marc.info/?l=bugtraq&m=136439120408139&w=2",
"name": "HPSBUX02857",
"refsource": "HP",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://marc.info/?l=bugtraq&m=136733161405818&w=2",
"name": "HPSBMU02874",
"refsource": "HP",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://rhn.redhat.com/errata/RHSA-2013-0782.html",
"name": "RHSA-2013:0782",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21644047",
"name": "http://www-01.ibm.com/support/docview.wss?uid=swg21644047",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.kb.cert.org/vuls/id/737740",
"name": "VU#737740",
"refsource": "CERT-VN",
"tags": [
"Third Party Advisory",
"US Government Resource"
]
},
{
"url": "http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html",
"name": "APPLE-SA-2013-09-12-1",
"refsource": "APPLE",
"tags": [
"Mailing List",
"Third Party Advisory"
]
},
{
"url": "http://support.apple.com/kb/HT5880",
"name": "http://support.apple.com/kb/HT5880",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://secunia.com/advisories/55139",
"name": "55139",
"refsource": "SECUNIA",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://secunia.com/advisories/55108",
"name": "55108",
"refsource": "SECUNIA",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://secunia.com/advisories/55351",
"name": "55351",
"refsource": "SECUNIA",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://secunia.com/advisories/55350",
"name": "55350",
"refsource": "SECUNIA",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.securitytracker.com/id/1029190",
"name": "1029190",
"refsource": "SECTRACK",
"tags": [
"Third Party Advisory",
"VDB Entry"
]
},
{
"url": "http://secunia.com/advisories/55322",
"name": "55322",
"refsource": "SECUNIA",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://rhn.redhat.com/errata/RHSA-2013-1455.html",
"name": "RHSA-2013:1455",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://rhn.redhat.com/errata/RHSA-2013-0833.html",
"name": "RHSA-2013:0833",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://rhn.redhat.com/errata/RHSA-2013-1456.html",
"name": "RHSA-2013:1456",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html",
"name": "FEDORA-2013-4403",
"refsource": "FEDORA",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://marc.info/?l=bugtraq&m=137545771702053&w=2",
"name": "SSRT101289",
"refsource": "HP",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html",
"name": "SUSE-SU-2013:0701",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.splunk.com/view/SP-CAAAHXG",
"name": "http://www.splunk.com/view/SP-CAAAHXG",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://secunia.com/advisories/53623",
"name": "53623",
"refsource": "SECUNIA",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:095",
"name": "MDVSA-2013:095",
"refsource": "MANDRIVA",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084",
"name": "https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/",
"name": "http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released/",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html",
"name": "SUSE-SU-2014:0320",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://security.gentoo.org/glsa/glsa-201406-32.xml",
"name": "GLSA-201406-32",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html",
"name": "SUSE-SU-2015:0578",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://marc.info/?l=bugtraq&m=136432043316835&w=2",
"name": "SSRT101108",
"refsource": "HP",
"tags": [
"Third Party Advisory"
]
},
{
"url": "http://www.securityfocus.com/bid/57778",
"name": "57778",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
]
},
{
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html",
"name": "openSUSE-SU-2016:0640",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608",
"name": "oval:org.mitre.oval:def:19608",
"refsource": "OVAL",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540",
"name": "oval:org.mitre.oval:def:19540",
"refsource": "OVAL",
"tags": [
"Tool Signature"
]
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424",
"name": "oval:org.mitre.oval:def:19424",
"refsource": "OVAL",
"tags": [
"Tool Signature"
]
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016",
"name": "oval:org.mitre.oval:def:19016",
"refsource": "OVAL",
"tags": [
"Tool Signature"
]
},
{
"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841",
"name": "oval:org.mitre.oval:def:18841",
"refsource": "OVAL",
"tags": [
"Tool Signature"
]
},
{
"url": "https://puppet.com/security/cve/cve-2013-0169",
"name": "https://puppet.com/security/cve/cve-2013-0169",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001",
"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html",
"name": "[debian-lts-announce] 20180925 [SECURITY] [DLA 1518-1] polarssl security update",
"refsource": "MLIST",
"tags": [
"Third Party Advisory"
]
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf",
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
]
}
],
"impact": {
"baseMetricV2": {
"cvssV2": {
"version": "2.0",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"accessVector": "NETWORK",
"accessComplexity": "HIGH",
"authentication": "NONE",
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6
},
"severity": "LOW",
"exploitabilityScore": 4.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainUserPrivilege": false,
"obtainOtherPrivilege": false,
"userInteractionRequired": false
}
},
"problem_type": "CWE-310"
}