CVE-2013-1619

GnuTLS < 2.12.23, 3.0.x < 3.0.28, 3.1.x < 3.1.7 - Timing Side-Channel Attack via CBC Padding MAC Check

Title source: llm
STIX 2.1

Description

The TLS implementation in GnuTLS before 2.12.23, 3.0.x before 3.0.28, and 3.1.x before 3.1.7 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

References (14)

Core 14
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0588.html
Various Sources x_refsource_misc
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/57260
Various Sources x_refsource_confirm
http://www.gnutls.org/security.html#GNUTLS-SA-2013-1
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/57274
Mailing List mailing-list x_refsource_mlist
http://openwall.com/lists/oss-security/2013/02/05/24
Vendor Advisory vendor-advisory x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1752-1
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-05/msg00023.html

Scores

EPSS 0.0115
EPSS Percentile 78.7%

Details

CWE
CWE-310
Status published
Products (50)
gnu/gnutls 2.0.0
gnu/gnutls 2.0.1
gnu/gnutls 2.0.2
gnu/gnutls 2.0.3
gnu/gnutls 2.0.4
gnu/gnutls 2.1.0
gnu/gnutls 2.1.1
gnu/gnutls 2.1.2
gnu/gnutls 2.1.3
gnu/gnutls 2.1.4
... and 40 more
Published Feb 08, 2013
Tracked Since Feb 18, 2026