ID CVE-2013-1620
Summary The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
References
Vulnerable Configurations
  • cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*
    cpe:2.3:a:mozilla:network_security_services:*:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 09-10-2018 - 19:33)
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
redhat via4
advisories
  • bugzilla
    id 986969
    title nssutil_ReadSecmodDB() leaks memory
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment nspr is earlier than 0:4.9.5-1.el5_9
          oval oval:com.redhat.rhsa:tst:20131135002
        • comment nspr is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20150925003
      • AND
        • comment nspr-devel is earlier than 0:4.9.5-1.el5_9
          oval oval:com.redhat.rhsa:tst:20131135004
        • comment nspr-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20150925005
      • AND
        • comment nss is earlier than 0:3.14.3-6.el5_9
          oval oval:com.redhat.rhsa:tst:20131135006
        • comment nss is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20150925013
      • AND
        • comment nss-devel is earlier than 0:3.14.3-6.el5_9
          oval oval:com.redhat.rhsa:tst:20131135010
        • comment nss-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20150925009
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.14.3-6.el5_9
          oval oval:com.redhat.rhsa:tst:20131135012
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20150925007
      • AND
        • comment nss-tools is earlier than 0:3.14.3-6.el5_9
          oval oval:com.redhat.rhsa:tst:20131135008
        • comment nss-tools is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhba:tst:20150925011
    rhsa
    id RHSA-2013:1135
    released 2013-08-05
    severity Moderate
    title RHSA-2013:1135: nss and nspr security, bug fix, and enhancement update (Moderate)
  • bugzilla
    id 985955
    title nss-softokn: missing partial RELRO [6.4.z]
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment nspr is earlier than 0:4.9.5-2.el6_4
          oval oval:com.redhat.rhsa:tst:20131144005
        • comment nspr is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364006
      • AND
        • comment nspr-devel is earlier than 0:4.9.5-2.el6_4
          oval oval:com.redhat.rhsa:tst:20131144007
        • comment nspr-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364008
      • AND
        • comment nss-softokn is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144009
        • comment nss-softokn is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364024
      • AND
        • comment nss-softokn-devel is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144011
        • comment nss-softokn-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364026
      • AND
        • comment nss-softokn-freebl is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144015
        • comment nss-softokn-freebl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364028
      • AND
        • comment nss-softokn-freebl-devel is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144013
        • comment nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364030
      • AND
        • comment nss is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144017
        • comment nss is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364010
      • AND
        • comment nss-devel is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144021
        • comment nss-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364016
      • AND
        • comment nss-pkcs11-devel is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144019
        • comment nss-pkcs11-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364018
      • AND
        • comment nss-sysinit is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144023
        • comment nss-sysinit is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364014
      • AND
        • comment nss-tools is earlier than 0:3.14.3-4.el6_4
          oval oval:com.redhat.rhsa:tst:20131144025
        • comment nss-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364012
      • AND
        • comment nss-util is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144027
        • comment nss-util is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364020
      • AND
        • comment nss-util-devel is earlier than 0:3.14.3-3.el6_4
          oval oval:com.redhat.rhsa:tst:20131144029
        • comment nss-util-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhba:tst:20150364022
    rhsa
    id RHSA-2013:1144
    released 2013-08-07
    severity Moderate
    title RHSA-2013:1144: nss, nss-util, nss-softokn, and nspr security update (Moderate)
rpms
  • nspr-0:4.9.5-1.el5_9
  • nspr-devel-0:4.9.5-1.el5_9
  • nss-0:3.14.3-6.el5_9
  • nss-devel-0:3.14.3-6.el5_9
  • nss-pkcs11-devel-0:3.14.3-6.el5_9
  • nss-tools-0:3.14.3-6.el5_9
  • nspr-0:4.9.5-2.el6_4
  • nspr-devel-0:4.9.5-2.el6_4
  • nss-softokn-0:3.14.3-3.el6_4
  • nss-softokn-devel-0:3.14.3-3.el6_4
  • nss-softokn-freebl-0:3.14.3-3.el6_4
  • nss-softokn-freebl-devel-0:3.14.3-3.el6_4
  • nss-0:3.14.3-4.el6_4
  • nss-devel-0:3.14.3-4.el6_4
  • nss-pkcs11-devel-0:3.14.3-4.el6_4
  • nss-sysinit-0:3.14.3-4.el6_4
  • nss-tools-0:3.14.3-4.el6_4
  • nss-util-0:3.14.3-3.el6_4
  • nss-util-devel-0:3.14.3-3.el6_4
refmap via4
bid
  • 57777
  • 64758
bugtraq 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
confirm
fulldisc 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
gentoo GLSA-201406-19
misc http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
mlist [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations
suse
  • openSUSE-SU-2013:0630
  • openSUSE-SU-2013:0631
ubuntu USN-1763-1
Last major update 09-10-2018 - 19:33
Published 08-02-2013 - 19:55
Back to Top