Executive Summary
Summary | |
---|---|
Title | gnutls security update |
Informations | |||
---|---|---|---|
Name | RHSA-2013:0588 | First vendor Publication | 2013-03-04 |
Vendor | RedHat | Last vendor Modification | 2013-03-04 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | High |
Cvss Expoit Score | 4.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated gnutls packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 3. Description: The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). It was discovered that GnuTLS leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. (CVE-2013-1619) Users of GnuTLS are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. For the update to take effect, all applications linked to the GnuTLS library must be restarted, or the system rebooted. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 908238 - CVE-2013-1619 gnutls: TLS CBC padding timing attack (lucky-13) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2013-0588.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-310 | Cryptographic Issues |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:18268 | |||
Oval ID: | oval:org.mitre.oval:def:18268 | ||
Title: | USN-1752-1 -- gnutls13, gnutls26 vulnerability | ||
Description: | GnuTLS could be made to expose sensitive information over the network. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1752-1 CVE-2013-1619 | Version: | 7 |
Platform(s): | Ubuntu 12.10 Ubuntu 12.04 Ubuntu 11.10 Ubuntu 10.04 Ubuntu 8.04 | Product(s): | gnutls26 gnutls13 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20768 | |||
Oval ID: | oval:org.mitre.oval:def:20768 | ||
Title: | RHSA-2013:0588: gnutls security update (Moderate) | ||
Description: | The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:0588-01 CESA-2013:0588 CVE-2013-1619 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22495 | |||
Oval ID: | oval:org.mitre.oval:def:22495 | ||
Title: | DEPRECATED: ELSA-2013:0588: gnutls security update (Moderate) | ||
Description: | The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0588-01 CVE-2013-1619 | Version: | 7 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23912 | |||
Oval ID: | oval:org.mitre.oval:def:23912 | ||
Title: | ELSA-2013:0588: gnutls security update (Moderate) | ||
Description: | The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:0588-01 CVE-2013-1619 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:25546 | |||
Oval ID: | oval:org.mitre.oval:def:25546 | ||
Title: | SUSE-SU-2014:0322-1 -- Security update for gnutls | ||
Description: | The GnuTLS library received a critical security fix and other updates: * CVE-2014-0092: The X.509 certificate verification had incorrect error handling, which could lead to broken certificates marked as being valid. * CVE-2009-5138: A verification problem in handling V1 certificates could also lead to V1 certificates incorrectly being handled. * CVE-2013-2116: The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS allowed remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. * CVE-2013-1619: Timing attacks against hashing of padding was fixed which might have allowed disclosure of keys. (Lucky13 attack). Also the following non-security bugs have been fixed: * gnutls doesn't like root CAs without Basic Constraints. Permit V1 Certificate Authorities properly (bnc#760265) * memory leak in PSK authentication (bnc#835760) | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0322-1 CVE-2014-0092 CVE-2009-5138 CVE-2013-2116 CVE-2013-1619 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | gnutls |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25893 | |||
Oval ID: | oval:org.mitre.oval:def:25893 | ||
Title: | SUSE-SU-2013:0731-1 -- Security update for GnuTLS | ||
Description: | This GnuTLS update fixes incorrect padding which weakens the encryption. CVE-2013-1619 has been assigned to this issue. Security Issue reference: * CVE-2013-1619 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:0731-1 CVE-2013-1619 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Desktop 11 SUSE Linux Enterprise Desktop 10 | Product(s): | GnuTLS |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27581 | |||
Oval ID: | oval:org.mitre.oval:def:27581 | ||
Title: | DEPRECATED: ELSA-2013-0588 -- gnutls security update (moderate) | ||
Description: | [2.8.5-10.1] - fix CVE-2013-1619 - fix TLS-CBC timing attack (#908238) | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-0588 CVE-2013-1619 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | gnutls |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-07-31 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2015-0101.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_gnutls_20130924.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-1076.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-0636.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-428.nasl - Type : ACT_GATHER_INFO |
2013-10-29 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201310-18.nasl - Type : ACT_GATHER_INFO |
2013-10-15 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-287-03.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-172.nasl - Type : ACT_GATHER_INFO |
2013-09-04 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-197.nasl - Type : ACT_GATHER_INFO |
2013-09-02 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-242-03.nasl - Type : ACT_GATHER_INFO |
2013-09-02 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-242-01.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0588.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-0883.nasl - Type : ACT_GATHER_INFO |
2013-05-31 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130530_gnutls_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-05-31 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0883.nasl - Type : ACT_GATHER_INFO |
2013-05-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0883.nasl - Type : ACT_GATHER_INFO |
2013-05-01 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_gnutls-130424.nasl - Type : ACT_GATHER_INFO |
2013-05-01 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_gnutls-8554.nasl - Type : ACT_GATHER_INFO |
2013-04-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-040.nasl - Type : ACT_GATHER_INFO |
2013-03-13 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-2984.nasl - Type : ACT_GATHER_INFO |
2013-03-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-0588.nasl - Type : ACT_GATHER_INFO |
2013-03-06 | Name : The remote Fedora host is missing a security update. File : fedora_2013-2892.nasl - Type : ACT_GATHER_INFO |
2013-03-05 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0588.nasl - Type : ACT_GATHER_INFO |
2013-03-05 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20130304_gnutls_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-02-28 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1752-1.nasl - Type : ACT_GATHER_INFO |
2013-02-18 | Name : The remote Fedora host is missing a security update. File : fedora_2013-2128.nasl - Type : ACT_GATHER_INFO |
2013-02-18 | Name : The remote Fedora host is missing a security update. File : fedora_2013-2110.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-11-08 13:32:02 |
|
2014-02-17 11:56:57 |
|
2013-06-05 13:24:40 |
|
2013-03-05 00:17:56 |
|