PT-2013-1247 · Gnu+3 · Gnutls+3

Kenny Paterson

Published

2013-02-08

Updated

2014-03-26

CVE-2013-1619

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions GnuTLS versions prior to 2.12.23 GnuTLS versions 3.0.x prior to 3.0.28 GnuTLS versions 3.1.x prior to 3.1.7

Description The issue affects the TLS implementation in GnuTLS, allowing remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets. This is related to the improper consideration of timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding.

Recommendations For GnuTLS versions prior to 2.12.23, update to version 2.12.23 or later. For GnuTLS versions 3.0.x prior to 3.0.28, update to version 3.0.28 or later. For GnuTLS versions 3.1.x prior to 3.1.7, update to version 3.1.7 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310

Related Identifiers

BDU:2015-09730

CESA-2013_0588

CVE-2013-1619

OPENSUSE-SU-2014_0346-1

RHSA-2013:0588

RHSA-2013:0636

RHSA-2013_0588

SUSE-SU-2013_0731-1

USN-1752-1

Affected Products

Centos

Gnutls

Red Hat

Suse

PT-2013-1247 · Gnu+3 · Gnutls+3

CVE-2013-1619

Weakness Enumeration

Related Identifiers

Affected Products

References · 51