CVE-2013-1623

EUVD-2013-1658
The TLS and DTLS implementations in wolfSSL CyaSSL before 2.5.0 do not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
4.3 UNKNOWN
NETWORK
MEDIUM
AV:N/AC:M/Au:N/C:P/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Affected Products (NVD)
VendorProductVersion
yasslcyassl
𝑥
≤ 2.4.6
yasslcyassl
0.2.0
yasslcyassl
0.3.0
yasslcyassl
0.4.0
yasslcyassl
0.5.0
yasslcyassl
0.5.5
yasslcyassl
0.6.0
yasslcyassl
0.6.2
yasslcyassl
0.6.3
yasslcyassl
0.8.0
yasslcyassl
0.9.0
yasslcyassl
0.9.6
yasslcyassl
0.9.8
yasslcyassl
0.9.9
yasslcyassl
1.0.0:rc1
yasslcyassl
1.0.0:rc2
yasslcyassl
1.0.0:rc3
yasslcyassl
1.0.2
yasslcyassl
1.0.3
yasslcyassl
1.0.6
yasslcyassl
1.1.0
yasslcyassl
1.2.0
yasslcyassl
1.3.0
yasslcyassl
1.4.0
yasslcyassl
1.5.0
yasslcyassl
1.5.4
yasslcyassl
1.5.6
yasslcyassl
1.6.0
yasslcyassl
1.6.5
yasslcyassl
1.8.0
yasslcyassl
1.9.0
yasslcyassl
2.0.0:rc1
yasslcyassl
2.0.0:rc2
yasslcyassl
2.0.0:rc3
yasslcyassl
2.0.2
yasslcyassl
2.0.6
yasslcyassl
2.0.8
yasslcyassl
2.2.0
yasslcyassl
2.3.0
yasslcyassl
2.4.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mysql-5.1
hardy
dne
lucid
dne
oneiric
Fixed 5.1.69-0ubuntu0.11.10.1
released
precise
dne
quantal
dne
raring
dne
mysql-5.5
hardy
dne
lucid
dne
oneiric
dne
precise
Fixed 5.5.31-0ubuntu0.12.04.1
released
quantal
Fixed 5.5.31-0ubuntu0.12.10.1
released
raring
Fixed 5.5.31-0ubuntu0.13.04.1
released
mysql-dfsg-5.1
hardy
dne
lucid
Fixed 5.1.69-0ubuntu0.10.04.1
released
oneiric
dne
precise
dne
quantal
dne
raring
dne
Common Weakness Enumeration
References
http://openwall.com/lists/oss-security/2013/02/05/24
http://secunia.com/advisories/53372
http://security.gentoo.org/glsa/glsa-201308-06.xml
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.yassl.com/yaSSL/Blog/Entries/2013/2/5_WolfSSL%2C_provider_of_CyaSSL_Embedded_SSL%2C_releases_first_embedded_TLS_and_DTLS_protocol_fix_for_Lucky_Thirteen_Attack.html
http://openwall.com/lists/oss-security/2013/02/05/24
http://secunia.com/advisories/53372
http://security.gentoo.org/glsa/glsa-201308-06.xml
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.yassl.com/yaSSL/Blog/Entries/2013/2/5_WolfSSL%2C_provider_of_CyaSSL_Embedded_SSL%2C_releases_first_embedded_TLS_and_DTLS_protocol_fix_for_Lucky_Thirteen_Attack.html