CVE-2013-2061

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
2.6 UNKNOWN
NETWORK
HIGH
AV:N/AC:H/Au:N/C:P/I:N/A:N
redhatCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
VendorProductVersion
openvpnopenvpn
𝑥
≤ 2.3.0
openvpnopenvpn
1.2.0
openvpnopenvpn
1.2.1
openvpnopenvpn
1.3.0
openvpnopenvpn
1.3.1
openvpnopenvpn
1.3.2
openvpnopenvpn
1.4.0
openvpnopenvpn
1.4.1
openvpnopenvpn
1.4.2
openvpnopenvpn
1.4.3
openvpnopenvpn
1.5.0
openvpnopenvpn
1.6.0
openvpnopenvpn
2.1.0
openvpnopenvpn
2.2.0
openvpnopenvpn_access_server
2.0.0
opensuseopensuse
11.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
openvpn
bullseye
2.5.1-3
fixed
bookworm
2.6.3-1+deb12u2
fixed
bookworm (security)
2.6.3-1+deb12u2
fixed
sid
2.6.12-1
fixed
trixie
2.6.12-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
openvpn
trusty
not-affected
saucy
not-affected
raring
ignored
quantal
ignored
precise
Fixed 2.2.1-8ubuntu1.3
released
oneiric
ignored
lucid
ignored
hardy
ignored
Common Weakness Enumeration
References
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105568.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00012.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00016.html
http://www.mandriva.com/security/advisories?name=MDVSA-2013:167
http://www.openwall.com/lists/oss-security/2013/05/06/6
https://bugs.gentoo.org/show_bug.cgi?id=468756
https://bugzilla.redhat.com/show_bug.cgi?id=960192
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105568.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00012.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00016.html
http://www.mandriva.com/security/advisories?name=MDVSA-2013:167
http://www.openwall.com/lists/oss-security/2013/05/06/6
https://bugs.gentoo.org/show_bug.cgi?id=468756
https://bugzilla.redhat.com/show_bug.cgi?id=960192
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee