ID |
CVE-2013-1620
|
Summary |
The TLS implementation in Mozilla Network Security Services (NSS) does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. |
References |
|
Vulnerable Configurations |
|
CVSS |
Base: | 4.3 (as of 09-10-2018 - 19:33) |
Impact: | |
Exploitability: | |
|
CWE |
CWE-310 |
CAPEC |
|
Access |
Vector | Complexity | Authentication |
NETWORK |
MEDIUM |
NONE |
|
Impact |
Confidentiality | Integrity | Availability |
PARTIAL |
NONE |
NONE |
|
cvss-vector
via4
|
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
redhat
via4
|
advisories | bugzilla | id | 986969 | title | nssutil_ReadSecmodDB() leaks memory |
| oval | OR | comment | Red Hat Enterprise Linux must be installed | oval | oval:com.redhat.rhba:tst:20070304026 |
AND | comment | Red Hat Enterprise Linux 5 is installed | oval | oval:com.redhat.rhba:tst:20070331005 |
OR | AND | comment | nspr is earlier than 0:4.9.5-1.el5_9 | oval | oval:com.redhat.rhsa:tst:20131135001 |
comment | nspr is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhba:tst:20150925002 |
|
AND | comment | nspr-devel is earlier than 0:4.9.5-1.el5_9 | oval | oval:com.redhat.rhsa:tst:20131135003 |
comment | nspr-devel is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhba:tst:20150925004 |
|
AND | comment | nss is earlier than 0:3.14.3-6.el5_9 | oval | oval:com.redhat.rhsa:tst:20131135005 |
comment | nss is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhba:tst:20150925006 |
|
AND | comment | nss-devel is earlier than 0:3.14.3-6.el5_9 | oval | oval:com.redhat.rhsa:tst:20131135007 |
comment | nss-devel is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhba:tst:20150925008 |
|
AND | comment | nss-pkcs11-devel is earlier than 0:3.14.3-6.el5_9 | oval | oval:com.redhat.rhsa:tst:20131135009 |
comment | nss-pkcs11-devel is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhba:tst:20150925010 |
|
AND | comment | nss-tools is earlier than 0:3.14.3-6.el5_9 | oval | oval:com.redhat.rhsa:tst:20131135011 |
comment | nss-tools is signed with Red Hat redhatrelease key | oval | oval:com.redhat.rhba:tst:20150925012 |
|
|
|
|
| rhsa | id | RHSA-2013:1135 | released | 2013-08-05 | severity | Moderate | title | RHSA-2013:1135: nss and nspr security, bug fix, and enhancement update (Moderate) |
|
bugzilla | id | 985955 | title | nss-softokn: missing partial RELRO [6.4.z] |
| oval | OR | comment | Red Hat Enterprise Linux must be installed | oval | oval:com.redhat.rhba:tst:20070304026 |
AND | comment | Red Hat Enterprise Linux 6 is installed | oval | oval:com.redhat.rhba:tst:20111656003 |
OR | AND | comment | nspr is earlier than 0:4.9.5-2.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144001 |
comment | nspr is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364002 |
|
AND | comment | nspr-devel is earlier than 0:4.9.5-2.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144003 |
comment | nspr-devel is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364004 |
|
AND | comment | nss-softokn is earlier than 0:3.14.3-3.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144005 |
comment | nss-softokn is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364020 |
|
AND | comment | nss-softokn-devel is earlier than 0:3.14.3-3.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144007 |
comment | nss-softokn-devel is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364022 |
|
AND | comment | nss-softokn-freebl is earlier than 0:3.14.3-3.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144009 |
comment | nss-softokn-freebl is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364024 |
|
AND | comment | nss-softokn-freebl-devel is earlier than 0:3.14.3-3.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144011 |
comment | nss-softokn-freebl-devel is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364026 |
|
AND | comment | nss is earlier than 0:3.14.3-4.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144013 |
comment | nss is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364006 |
|
AND | comment | nss-devel is earlier than 0:3.14.3-4.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144015 |
comment | nss-devel is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364008 |
|
AND | comment | nss-pkcs11-devel is earlier than 0:3.14.3-4.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144017 |
comment | nss-pkcs11-devel is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364010 |
|
AND | comment | nss-sysinit is earlier than 0:3.14.3-4.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144019 |
comment | nss-sysinit is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364012 |
|
AND | comment | nss-tools is earlier than 0:3.14.3-4.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144021 |
comment | nss-tools is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364014 |
|
AND | comment | nss-util is earlier than 0:3.14.3-3.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144023 |
comment | nss-util is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364016 |
|
AND | comment | nss-util-devel is earlier than 0:3.14.3-3.el6_4 | oval | oval:com.redhat.rhsa:tst:20131144025 |
comment | nss-util-devel is signed with Red Hat redhatrelease2 key | oval | oval:com.redhat.rhba:tst:20150364018 |
|
|
|
|
| rhsa | id | RHSA-2013:1144 | released | 2013-08-07 | severity | Moderate | title | RHSA-2013:1144: nss, nss-util, nss-softokn, and nspr security update (Moderate) |
|
| rpms | - nspr-0:4.9.5-1.el5_9
- nspr-debuginfo-0:4.9.5-1.el5_9
- nspr-devel-0:4.9.5-1.el5_9
- nss-0:3.14.3-6.el5_9
- nss-debuginfo-0:3.14.3-6.el5_9
- nss-devel-0:3.14.3-6.el5_9
- nss-pkcs11-devel-0:3.14.3-6.el5_9
- nss-tools-0:3.14.3-6.el5_9
- nspr-0:4.9.5-2.el6_4
- nspr-debuginfo-0:4.9.5-2.el6_4
- nspr-devel-0:4.9.5-2.el6_4
- nss-0:3.14.3-4.el6_4
- nss-debuginfo-0:3.14.3-4.el6_4
- nss-devel-0:3.14.3-4.el6_4
- nss-pkcs11-devel-0:3.14.3-4.el6_4
- nss-softokn-0:3.14.3-3.el6_4
- nss-softokn-debuginfo-0:3.14.3-3.el6_4
- nss-softokn-devel-0:3.14.3-3.el6_4
- nss-softokn-freebl-0:3.14.3-3.el6_4
- nss-softokn-freebl-devel-0:3.14.3-3.el6_4
- nss-sysinit-0:3.14.3-4.el6_4
- nss-tools-0:3.14.3-4.el6_4
- nss-util-0:3.14.3-3.el6_4
- nss-util-debuginfo-0:3.14.3-3.el6_4
- nss-util-devel-0:3.14.3-3.el6_4
- rhev-hypervisor6-0:6.4-20130815.0.el6_4
|
|
refmap
via4
|
bid | | bugtraq | 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities | confirm | | fulldisc | 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities | gentoo | GLSA-201406-19 | misc | http://www.isg.rhul.ac.uk/tls/TLStiming.pdf | mlist | [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations | suse | - openSUSE-SU-2013:0630
- openSUSE-SU-2013:0631
| ubuntu | USN-1763-1 |
|
Last major update |
09-10-2018 - 19:33 |
Published |
08-02-2013 - 19:55 |
Last modified |
09-10-2018 - 19:33 |