Vulnerability Data

by Reconmap

CVE-2013-2061

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.

Published at
2013-11-18T02:55Z
3813 days ago
Modified
2020-05-12T14:21Z
1446 days ago
CWE-200
Problem type

References


URLType
github.com
https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee		CONFIRM
bugzilla.redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=960192		CONFIRM
[oss-security] 20130506 Re: CVE request: OpenVPN use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt
http://www.openwall.com/lists/oss-security/2013/05/06/6		MLIST
openSUSE-SU-2013:1649
http://lists.opensuse.org/opensuse-updates/2013-11/msg00016.html		SUSE
openSUSE-SU-2013:1645
http://lists.opensuse.org/opensuse-updates/2013-11/msg00012.html		SUSE
bugs.gentoo.org
https://bugs.gentoo.org/show_bug.cgi?id=468756		CONFIRM
community.openvpn.net
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc		CONFIRM
MDVSA-2013:167
http://www.mandriva.com/security/advisories?name=MDVSA-2013:167		MANDRIVA
FEDORA-2013-7552
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105568.html		FEDORA
FEDORA-2013-7531
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html		FEDORA

GET https://vulnerabilitydata.com/api/details/CVE-2013-2061

{
	"id": "CVE-2013-2061",
	"published_date": "2013-11-18T02:55Z",
	"last_modified_date": "2020-05-12T14:21Z",
	"assigner": "secalert@redhat.com",
	"description": "The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.",
	"references": [
		{
			"url": "https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee",
			"name": "https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee",
			"refsource": "CONFIRM",
			"tags": [
				"Exploit",
				"Patch"
			]
		},
		{
			"url": "https://bugzilla.redhat.com/show_bug.cgi?id=960192",
			"name": "https://bugzilla.redhat.com/show_bug.cgi?id=960192",
			"refsource": "CONFIRM",
			"tags": []
		},
		{
			"url": "http://www.openwall.com/lists/oss-security/2013/05/06/6",
			"name": "[oss-security] 20130506 Re: CVE request: OpenVPN use of non-constant-time  memcmp in HMAC comparison in openvpn_decrypt",
			"refsource": "MLIST",
			"tags": []
		},
		{
			"url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00016.html",
			"name": "openSUSE-SU-2013:1649",
			"refsource": "SUSE",
			"tags": []
		},
		{
			"url": "http://lists.opensuse.org/opensuse-updates/2013-11/msg00012.html",
			"name": "openSUSE-SU-2013:1645",
			"refsource": "SUSE",
			"tags": [
				"Vendor Advisory"
			]
		},
		{
			"url": "https://bugs.gentoo.org/show_bug.cgi?id=468756",
			"name": "https://bugs.gentoo.org/show_bug.cgi?id=468756",
			"refsource": "CONFIRM",
			"tags": []
		},
		{
			"url": "https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc",
			"name": "https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc",
			"refsource": "CONFIRM",
			"tags": []
		},
		{
			"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2013:167",
			"name": "MDVSA-2013:167",
			"refsource": "MANDRIVA",
			"tags": []
		},
		{
			"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105568.html",
			"name": "FEDORA-2013-7552",
			"refsource": "FEDORA",
			"tags": []
		},
		{
			"url": "http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html",
			"name": "FEDORA-2013-7531",
			"refsource": "FEDORA",
			"tags": []
		}
	],
	"impact": {
		"baseMetricV2": {
			"cvssV2": {
				"version": "2.0",
				"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
				"accessVector": "NETWORK",
				"accessComplexity": "HIGH",
				"authentication": "NONE",
				"confidentialityImpact": "PARTIAL",
				"integrityImpact": "NONE",
				"availabilityImpact": "NONE",
				"baseScore": 2.6
			},
			"severity": "LOW",
			"exploitabilityScore": 4.9,
			"impactScore": 2.9,
			"obtainAllPrivilege": false,
			"obtainUserPrivilege": false,
			"obtainOtherPrivilege": false,
			"userInteractionRequired": false
		}
	},
	"problem_type": "CWE-200"
}