National Cyber Awareness System

Vulnerability Summary for CVE-2013-1619

Overview

The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://gitorious.org/gnutls/gnutls/commit/b8391806cd79095fe566f2401d8c7ad85a64b198

Type: Patch Information; Exploit

Hyperlink:https://gitorious.org/gnutls/gnutls/commit/b8391806cd79095fe566f2401d8c7ad85a64b198

External Source: CONFIRM

Name: https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0

Type: Patch Information; Exploit

Hyperlink:https://gitorious.org/gnutls/gnutls/commit/328ee22c1b3951e060c7124c7cb1cee592c59bc0

External Source: UBUNTU

Name: USN-1752-1

Hyperlink:http://www.ubuntu.com/usn/USN-1752-1

External Source: MISC

Name: http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

Hyperlink:http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

External Source: CONFIRM

Name: http://www.gnutls.org/security.html#GNUTLS-SA-2013-1

Hyperlink:http://www.gnutls.org/security.html#GNUTLS-SA-2013-1

External Source: REDHAT

Name: RHSA-2013:0588

Hyperlink:http://rhn.redhat.com/errata/RHSA-2013-0588.html

External Source: MLIST

Name: [oss-security] 20130205 Re: CVE request: TLS CBC padding timing flaw in various SSL / TLS implementations

Hyperlink:http://openwall.com/lists/oss-security/2013/02/05/24

External Source: CONFIRM

Name: http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html

Hyperlink:http://nmav.gnutls.org/2013/02/time-is-money-for-cbc-ciphersuites.html

External Source: SUSE

Name: openSUSE-SU-2013:0807

Hyperlink:http://lists.opensuse.org/opensuse-updates/2013-05/msg00023.html