Follow @discotekdotca
CVE-2003-0147
Current Description
OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).
| Referenced by CVEs: | CVE-2004-2682 |
Basic Data
| Published | March 31, 2003 |
|---|---|
| Last Modified | October 19, 2018 |
| Assigner | cve@mitre.org |
| Data Type | CVE |
| Data Format | MITRE |
| Data Version | 4.0 |
| Problem Type | NVD-CWE-Other |
| CVE Data Version | 4.0 |
Base Metric V2
| CVSS 2 - Version | 2.0 |
|---|---|
| CVSS 2 - Vector String | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| CVSS 2 - Access Vector | NETWORK |
| CVSS 2 - Access Complexity | LOW |
| CVSS 2 - Authentication | NONE |
| CVSS 2 - Confidentiality Impact | PARTIAL |
| CVSS 2 - Availability Impact | NONE |
| CVSS 2 - Base Score | 5.0 |
| Severity | MEDIUM |
| Exploitability Score | 10.0 |
| Impact Score | 2.9 |
| Obtain All Privilege | false |
| Obtain User Privilege | false |
| Obtain Other Privilege | false |
Base Metric V3
No data provided.
Configurations
-
OR - Configuration 1
Cpe Version Part Vendor Product Version Update Edition Language SW Edition Target SW Target HW Other Version Start Including Version End Including Version Start Excluding Version End Excluding 2.3 Application Openpkg Openpkg * * * * * * * * � � � � 2.3 Application Openpkg Openpkg 1.1 * * * * * * * � � � � 2.3 Application Openpkg Openpkg 1.2 * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6 * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6a * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6b * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6c * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6d * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6e * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6g * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6h * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.6i * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.7 * * * * * * * � � � � 2.3 Application Openssl Openssl 0.9.7a * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.7 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.8 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.9 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.10 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.11 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.12 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.13 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.14 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.15 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.16 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.17 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.18 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.19 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.20 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.21 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 3.22 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 4.0 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 4.01 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 4.02 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 4.03 * * * * * * * � � � � 2.3 Application Stunnel Stunnel 4.04 * * * * * * * � � � �
Vulnerable Software List
| Vendor | Product | Versions |
|---|---|---|
| Openpkg | Openpkg | *, 1.1, 1.2 |
| Openssl | Openssl | 0.9.6, 0.9.6a, 0.9.6b, 0.9.6c, 0.9.6d, 0.9.6e, 0.9.6g, 0.9.6h, 0.9.6i, 0.9.7, 0.9.7a |
| Stunnel | Stunnel | 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.7, 3.8, 3.9, 4.0, 4.01, 4.02, 4.03, 4.04 |
References
| Name | Source | URL | Tags |
|---|---|---|---|
| CSSA-2003-014.0 | ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-014.0.txt | CALDERA | |
| 20030501-01-I | ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I | SGI | |
| 20030313 OpenSSL Private Key Disclosure | http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0130.html | VULNWATCH | Vendor Advisory |
| http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf | http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf | MISC | |
| CLA-2003:625 | http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000625 | CONECTIVA | |
| 20030313 Vulnerability in OpenSSL | http://marc.info/?l=bugtraq&m=104766550528628&w=2 | BUGTRAQ | |
| 20030317 [ADVISORY] Timing Attack on OpenSSL | http://marc.info/?l=bugtraq&m=104792570615648&w=2 | BUGTRAQ | |
| 20030320 [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl) | http://marc.info/?l=bugtraq&m=104819602408063&w=2 | BUGTRAQ | |
| GLSA-200303-15 | http://marc.info/?l=bugtraq&m=104829040921835&w=2 | GENTOO | |
| GLSA-200303-24 | http://marc.info/?l=bugtraq&m=104861762028637&w=2 | GENTOO | |
| DSA-288 | http://www.debian.org/security/2003/dsa-288 | DEBIAN | |
| GLSA-200303-23 | http://www.gentoo.org/security/en/glsa/glsa-200303-23.xml | GENTOO | |
| VU#997481 | http://www.kb.cert.org/vuls/id/997481 | CERT-VN | Third Party Advisory US Government Resource |
| MDKSA-2003:035 | http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:035 | MANDRAKE | |
| OpenPKG-SA-2003.019 | http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.019.html | OPENPKG | |
| http://www.openssl.org/news/secadv_20030317.txt | http://www.openssl.org/news/secadv_20030317.txt | CONFIRM | |
| RHSA-2003:101 | http://www.redhat.com/support/errata/RHSA-2003-101.html | REDHAT | |
| RHSA-2003:102 | http://www.redhat.com/support/errata/RHSA-2003-102.html | REDHAT | |
| 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL | http://www.securityfocus.com/archive/1/316165/30/25370/threaded | BUGTRAQ | |
| IMNX-2003-7+-001-01 | http://www.securityfocus.com/archive/1/316577/30/25310/threaded | IMMUNIX | |
| oval:org.mitre.oval:def:466 | https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A466 | OVAL |