Executive Summary
Summary | |
---|---|
Title | New OpenSSL packages fix timing-based attack vulnerability |
Informations | |||
---|---|---|---|
Name | DSA-253 | First vendor Publication | 2003-02-24 |
Vendor | Debian | Last vendor Modification | 2003-02-24 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
A vulnerability has been discovered in OpenSSL, a Secure Socket Layer (SSL) implementation. In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and demonstrate a timing-based attack on CBC cipher suites used in SSL and TLS. OpenSSL has been found to vulnerable to this attack. For the stable distribution (woody) this problem has been fixed in version 0.9.6c-2.woody.2. For the old stable distribution (potato) this problem has been fixed in version 0.9.6c-0.potato.5. Please note that this updates the version from potato-proposed-updates that superseds the version in potato. For the unstable distribution (sid) this problem has been fixed in version 0.9.7a-1. We recommend that you upgrade your openssl packages. |
Original Source
Url : http://www.debian.org/security/2003/dsa-253 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-203 | Information Exposure Through Discrepancy |
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2008-01-17 | Name : Debian Security Advisory DSA 253-1 (openssl) File : nvt/deb_253_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
3945 | OpenSSL Vaudenay Timing Attack OpenSSL versions 0.9.6h and prior and 0.9.7 contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a repeated block of plaintext in multiple OpenSSL/TLS sessions occur. A crafted block of ciphertext can be repeatedly injected into each session, which will kill that session but may ultimately lead to the disclosure of the repeated plaintext block, resulting in a loss of confidentiality. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2005-03-18 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_28686.nasl - Type : ACT_GATHER_INFO |
2005-02-16 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_28685.nasl - Type : ACT_GATHER_INFO |
2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-253.nasl - Type : ACT_GATHER_INFO |
2004-07-31 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2003-020.nasl - Type : ACT_GATHER_INFO |
2004-07-25 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2003_011.nasl - Type : ACT_GATHER_INFO |
2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2003-063.nasl - Type : ACT_GATHER_INFO |
2003-02-20 | Name : The remote host has an application that is affected by multiple vulnerabilities. File : openssl_password_interception.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:31:17 |
|