Follow @discotekdotca
CVE-2003-0078
Current Description
ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."
Basic Data
| Published | March 03, 2003 |
|---|---|
| Last Modified | October 18, 2016 |
| Assigner | cve@mitre.org |
| Data Type | CVE |
| Data Format | MITRE |
| Data Version | 4.0 |
| Problem Type | NVD-CWE-Other |
| CVE Data Version | 4.0 |
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|---|
| CVSS 2 - Vector String | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| CVSS 2 - Access Vector | NETWORK |
| CVSS 2 - Access Complexity | LOW |
| CVSS 2 - Authentication | NONE |
| CVSS 2 - Confidentiality Impact | PARTIAL |
| CVSS 2 - Availability Impact | NONE |
| CVSS 2 - Base Score | 5.0 |
| Severity | MEDIUM |
| Exploitability Score | 10.0 |
| Impact Score | 2.9 |
| Obtain All Privilege | false |
| Obtain User Privilege | false |
| Obtain Other Privilege | false |
Base Metric V3
No data provided.
Configurations
-
OR - Configuration 1
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application Openssl Openssl 0.9.1c * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.2b * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.3 * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.4 * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.5 * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.5a * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6 * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6a * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6b * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6c * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6d * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6e * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6g * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6h * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.7 * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.7 beta1 * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.7 beta2 * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.7 beta3 * * * * * * � � � � -
OR - Configuration 2
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 OS Freebsd Freebsd 4.2 * * * * * * * � � � � 2.3 OS Freebsd Freebsd 4.3 * * * * * * * � � � � 2.3 OS Freebsd Freebsd 4.4 * * * * * * * � � � � 2.3 OS Freebsd Freebsd 4.5 * * * * * * * � � � � 2.3 OS Freebsd Freebsd 4.6 * * * * * * * � � � � 2.3 OS Freebsd Freebsd 4.7 * * * * * * * � � � � 2.3 OS Freebsd Freebsd 4.8 pre-release * * * * * * � � � � 2.3 OS Freebsd Freebsd 5.0 * * * * * * * � � � � 2.3 OS Openbsd Openbsd 3.1 * * * * * * * � � � � 2.3 OS Openbsd Openbsd 3.2 * * * * * * * � � � �
Vulnerable Software List
| Vendor | Product | Versions |
|---|---|---|
| Freebsd | Freebsd | 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 5.0 |
| Openbsd | Openbsd | 3.1, 3.2 |
| Openssl | Openssl | 0.9.1c, 0.9.2b, 0.9.3, 0.9.4, 0.9.5, 0.9.5a, 0.9.6, 0.9.6a, 0.9.6b, 0.9.6c, 0.9.6d, 0.9.6e, 0.9.6g, 0.9.6h, 0.9.7 |
References
| Name | Source | URL | Tags |
|---|---|---|---|
| NetBSD-SA2003-001 | ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc | NETBSD | |
| 20030501-01-I | ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I | SGI | |
| CLSA-2003:570 | http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570 | CONECTIVA | |
| 20030219 OpenSSL 0.9.7a and 0.9.6i released | http://marc.info/?l=bugtraq&m=104567627211904&w=2 | BUGTRAQ | |
| 20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl) | http://marc.info/?l=bugtraq&m=104568426824439&w=2 | BUGTRAQ | |
| GLSA-200302-10 | http://marc.info/?l=bugtraq&m=104577183206905&w=2 | GENTOO | |
| N-051 | http://www.ciac.org/ciac/bulletins/n-051.shtml | CIAC | |
| DSA-253 | http://www.debian.org/security/2003/dsa-253 | DEBIAN | Vendor Advisory |
| ssl-cbc-information-leak(11369) | http://www.iss.net/security_center/static/11369.php | XF | Vendor Advisory |
| ESA-20030220-005 | http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html | ENGARDE | |
| MDKSA-2003:020 | http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020 | MANDRAKE | |
| http://www.openssl.org/news/secadv_20030219.txt | http://www.openssl.org/news/secadv_20030219.txt | CONFIRM | Patch Vendor Advisory |
| 3945 | http://www.osvdb.org/3945 | OSVDB | |
| RHSA-2003:062 | http://www.redhat.com/support/errata/RHSA-2003-062.html | REDHAT | |
| RHSA-2003:063 | http://www.redhat.com/support/errata/RHSA-2003-063.html | REDHAT | |
| RHSA-2003:082 | http://www.redhat.com/support/errata/RHSA-2003-082.html | REDHAT | |
| RHSA-2003:104 | http://www.redhat.com/support/errata/RHSA-2003-104.html | REDHAT | |
| RHSA-2003:205 | http://www.redhat.com/support/errata/RHSA-2003-205.html | REDHAT | |
| 6884 | http://www.securityfocus.com/bid/6884 | BID | |
| 2003-0005 | http://www.trustix.org/errata/2003/0005 | TRUSTIX |