Bug 907589 (CVE-2013-0169, Lucky13) - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
Summary: CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
Status: CLOSED ERRATA
Alias: CVE-2013-0169, Lucky13
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130204,repor...
Keywords: Security
Depends On: 907982 911051 911052 911061 911063 919303 919304 920868 920869
Blocks: 906729 907592 920007 954223 959037
TreeView+ depends on / blocked
 
Reported: 2013-02-04 19:16 UTC by Vincent Danen
Modified: 2019-06-08 19:25 UTC (History)
27 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-07-03 18:06:15 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0273 normal SHIPPED_LIVE Critical: java-1.6.0-openjdk security update 2013-02-20 15:51:34 UTC
Red Hat Product Errata RHSA-2013:0274 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2013-02-20 16:11:57 UTC
Red Hat Product Errata RHSA-2013:0275 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2013-02-20 16:32:09 UTC
Red Hat Product Errata RHSA-2013:0531 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2013-02-21 02:42:39 UTC
Red Hat Product Errata RHSA-2013:0532 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2013-02-21 02:42:30 UTC
Red Hat Product Errata RHSA-2013:0587 normal SHIPPED_LIVE Moderate: openssl security update 2013-03-05 02:11:42 UTC
Red Hat Product Errata RHSA-2013:0636 normal SHIPPED_LIVE Important: rhev-hypervisor6 security and bug fix update 2013-03-13 18:47:11 UTC
Red Hat Product Errata RHSA-2013:0782 normal SHIPPED_LIVE Moderate: openssl security update 2013-05-01 22:03:43 UTC
Red Hat Product Errata RHSA-2013:0783 normal SHIPPED_LIVE Moderate: openssl security update 2013-05-01 22:03:38 UTC
Red Hat Product Errata RHSA-2013:0822 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2013-11-15 00:13:34 UTC
Red Hat Product Errata RHSA-2013:0823 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2013-11-13 16:10:04 UTC
Red Hat Product Errata RHSA-2013:0833 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 6.1.0 update 2013-05-20 18:31:18 UTC
Red Hat Product Errata RHSA-2013:0855 normal SHIPPED_LIVE Important: java-1.5.0-ibm security update 2013-11-15 00:12:20 UTC
Red Hat Product Errata RHSA-2013:1013 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 update 2013-07-03 20:18:21 UTC
Red Hat Product Errata RHSA-2013:1455 normal SHIPPED_LIVE Low: Red Hat Network Satellite server IBM Java Runtime security update 2013-10-23 20:30:21 UTC
Red Hat Product Errata RHSA-2013:1456 normal SHIPPED_LIVE Low: Red Hat Network Satellite server IBM Java Runtime security update 2013-10-23 20:29:56 UTC
Red Hat Product Errata RHSA-2014:0416 normal SHIPPED_LIVE Important: rhevm-spice-client security update 2014-04-17 16:23:34 UTC

Description Vincent Danen 2013-02-04 19:16:50 UTC
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported.  This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection, when CBC-mode encryption is used.

This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations).  As such, it affects all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2.  It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks.  All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.

The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of the last byte in any block of plaintext).

To perform a successful attack, when TLS is used, a large number of TLS sessions are required (target plaintext must be sent repeatedly in the same position in the plaintext stream across the sessions).  For DTLS, a successful attack can be carried out in a single session.  The attacker must also be located close to the machine being attacked.

Further details are noted in the paper.

Current status of fixes in various implementations:

* OpenSSL has a patch in development
* NSS has a patch in development
* GnuTLS is fixed in versions 2.12.23, 3.0.28, and 3.1.7
* PolarSSL is fixed in version 1.2.5
* BouncyCastle has a patch that will be included in the forthcoming 1.48 version

Full paper:

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

External References:

http://www.isg.rhul.ac.uk/tls/
http://www.openssl.org/news/secadv_20130205.txt
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released

Comment 3 Vincent Danen 2013-02-05 15:25:43 UTC
Created polarssl tracking bugs for this issue

Affects: fedora-all [bug 907982]

Comment 6 Vincent Danen 2013-02-05 17:01:02 UTC
This is fixed in OpenSSL 1.0.1d, 1.0.0k, and 0.9.8y and referenced as CVE-2013-0169.  What is unclear is whether or not this CVE is for the OpenSSL implementation or whether it is for all implementations (the question has been asked on oss-sec).

OpenSSL advisory:

http://www.openssl.org/news/secadv_20130205.txt

Comment 7 Orcan Ogetbil 2013-02-06 01:34:45 UTC
Hi, the bouncycastle update is problematic. Namely, we are stuck with version 1.46 because the later version (1.47) comes with backward incompatible API changes. This affects the dependent libraries, in particular itext. Unfortunately we are also stuck with itext-2.1.7 because the next version series (itext-5.*) was vetoed by FE-Legal. 

Note that I do not maintain bouncycastle any more. I dropped my maintainership last August after an announcement in the Fedora-devel mailing list. To my knowledge no one picked it up yet, which makes me wonder why this bug CCd me. I can still provide some help though if you can supply a patch. If you provide a patch for bouncycastle-1.46 we can get around this problem.

Comment 8 Huzaifa S. Sidhpurwala 2013-02-06 04:03:03 UTC
Mozilla has assigned CVE-2013-1620 for this issue affecting nss.

References:

Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=822365
Upstream is still working on the final patch.

Comment 10 Huzaifa S. Sidhpurwala 2013-02-06 08:02:15 UTC
Here are the CVEs which have been assigned to this issue, affecting various products.

SSL/TLS protocol / OpenSSL               CVE-2013-0169  (this bug)
Mozilla Network Security Services (NSS)  CVE-2013-1620  (bug 908234)
GnuTLS                                   CVE-2013-1619  (bug 908238)
PolarSSL                                 three CVEs (see below)
    PolarSSL - TLS and DTLS protocol issue:      CVE-2013-0169  (this bug)
    PolarSSL - out-of-bounds comparisons:        CVE-2013-1621  (bug 908423)
    PolarSSL - lack of MAC check in some cases:  CVE-2013-1622  (bug 908425)
BouncyCastle                             CVE-2013-1624  (bug 908428)
yaSSL                                    CVE-2013-1623  (bug 908445)

Comment 11 Huzaifa S. Sidhpurwala 2013-02-06 08:38:11 UTC
This bug is used for CVE-2013-0169

Comment 12 Tomas Hoger 2013-02-06 09:40:50 UTC
(In reply to comment #7)
> Note that I do not maintain bouncycastle any more. I dropped my
> maintainership last August after an announcement in the Fedora-devel mailing
> list. To my knowledge no one picked it up yet, which makes me wonder why
> this bug CCd me.

Owners (and initial CC list members) of affected components are added to the CC list of security bugs by a script used to create these bugs.  You got CCed here because bugzilla notes you as both owner and initial CC list member for component bouncycastle and product Fedora.

Comment 13 Tomas Hoger 2013-02-06 14:39:57 UTC
OpenSSL fixes seems to be split across several commits:

0.9.8:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=270881316664396326c461ec7a124aec2c6cc081
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=35a65e814beb899fa1c69a7673a8956c6059dce7
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a33e6702a0db1b9f4648d247b8b28a5c0e42ca13
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2928cb4c82d6516d9e65ede4901a5957d8c39c32
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b3a959a337b8083bc855623f24cebaf43a477350
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=be88529753897c29c677d1becb321f0072c0659c
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=99f5093347c65eecbd05f0668aea94b32fcf20d7
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=24b28060975c01b749391778d13ec2ea1323a1aa
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=924b11742296c13816a9f301e76fea023003920c
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1909df070fb5c5b87246a2de19c17588deba5818
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=33ccde59a1ece0f68cc4b64e930001ab230725b1
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f9345a2f0b592457fc4a619ac98ea59ffd394ba
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=40e0de03955e218f45a7979cb46fba193f4e7fc2

1.0.0:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9c00a950604aca819cee977f1dcb4b45f2af3aa6
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e5420be6cd09af2550b128575a675490cfba0483
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f852b60797dc68aa86c99c4f7b905488d1538d99
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=080f39539295d2c7c932e79dd670526b90a215a8
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=610dfc3ef4c4019394534023115226f4ed0e7204
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b23da2919b332fd83fa6de87caacb0651f64a3f5
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3cdaca2436643908863c6a62918b0d9703477655
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=11c48a0fd20d2ec091fde218449f3ba0ff1cf672
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=33f44acbbe83ab718ae15c0d2c6a57e802705a36

Comment 14 Tomas Mraz 2013-02-06 19:37:42 UTC
It seems that there are some problems with openssl-1.0.1d (at least, perhaps also with the older branch releases).

Comment 21 Tomas Hoger 2013-02-20 06:35:22 UTC
This problem was addressed in Oracle Java SE 7u15, 6u41, 5.0u40 and 1.4.2_42:

http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html

Comment 22 Tomas Hoger 2013-02-20 08:37:18 UTC
OpenJDK upstream fix, as included in IcedTea7 repositories:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/2a879243603d

Comment 23 errata-xmlrpc 2013-02-20 10:52:02 UTC
This issue has been addressed in java-1.6.0-openjdk in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0273 https://rhn.redhat.com/errata/RHSA-2013-0273.html

Comment 24 errata-xmlrpc 2013-02-20 11:12:16 UTC
This issue has been addressed in java-1.6.0-openjdk in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0274 https://rhn.redhat.com/errata/RHSA-2013-0274.html

Comment 25 errata-xmlrpc 2013-02-20 11:32:37 UTC
This issue has been addressed in java-1.7.0-openjdk in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2013:0275 https://rhn.redhat.com/errata/RHSA-2013-0275.html

Comment 26 errata-xmlrpc 2013-02-20 21:45:07 UTC
This issue has been addressed in java-1.7.0-oracle in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2013:0532 https://rhn.redhat.com/errata/RHSA-2013-0532.html

Comment 27 errata-xmlrpc 2013-02-20 21:46:23 UTC
This issue has been addressed in java-1.6.0-sun in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0531 https://rhn.redhat.com/errata/RHSA-2013-0531.html

Comment 28 Tomas Hoger 2013-02-21 10:05:13 UTC
Fixed in upstream IcedTea versions IcedTea6 1.11.8, and 1.12.3, and IcedTea7 2.1.6, 2.2.6, and 2.3.7:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021998.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/022040.html

Comment 29 Tomas Hoger 2013-02-22 13:18:04 UTC
(In reply to comment #22)
> OpenJDK upstream fix, as included in IcedTea7 repositories:
> 
> http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/2a879243603d

The same commit in upstream OpenJDK jdk7 repositories:

http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/068448362d88

Comment 30 Mads Kiilerich 2013-02-24 23:41:33 UTC
PolarSSL 1.2.5 with the fix(es) was already in rawhide.

PolarSSL do apparently still not have any users in Fedora, so I guess I will take the easy solution and just push 1.2.5 to f17 and f18.

Comment 33 Orcan Ogetbil 2013-02-26 14:07:13 UTC
This does not seem like a really important vulnerability. Can someone explain why so many people (mostly redhat)  are working on this? Is this where redhat saves its resources for?

Thanks!

Comment 34 Bill Stein 2013-02-28 22:24:09 UTC
For those of us who support products which embed the vulnerable component, this is a vital vulnerability.  Anything that is important to any of our customers is, by extension, important to us.

Comment 35 Orcan Ogetbil 2013-03-01 01:49:06 UTC
Thank you for the explanation. I read (parts of) the paper, and from what I understand, a successful attack does not seem to be realistically probable. The paper itself regards this as "only a theoretical threat".

I really do not think this is vital. Well, that's just me. 

The attention this bug received just made me curious. The fact that there are so many parts of Fedora that need more love and manpower made me question the rationale behind distributing the resources. Sorry if that sounded rude, that was not my intention.

Comment 36 Tomas Mraz 2013-03-01 07:18:09 UTC
I'd agree that in case of Fedora this attack is of very low severity. On the other hand in case of Fedora it was resolved by simple upgrades of the affected packages to new upstream releases so I don't see any waste of resources here.

Comment 37 Fedora Update System 2013-03-02 19:55:34 UTC
openssl-1.0.1e-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 38 NoShelter 2013-03-04 15:07:21 UTC
Are the fixes from the openssl packages still being backported to the Red Hat packages?  Specifically, I'm looking for the fixed version of openssl-0.9.8e-22.el5_8.4.

Comment 39 errata-xmlrpc 2013-03-04 21:16:02 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0587 https://rhn.redhat.com/errata/RHSA-2013-0587.html

Comment 40 Fedora Update System 2013-03-08 00:02:21 UTC
openssl-1.0.0k-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 41 Tomas Hoger 2013-03-12 22:22:34 UTC
Created mingw32-openssl tracking bugs for this issue

Affects: epel-5 [bug 920869]

Comment 42 Tomas Hoger 2013-03-12 22:22:42 UTC
Created mingw-openssl tracking bugs for this issue

Affects: fedora-all [bug 920868]

Comment 43 Tomas Hoger 2013-03-12 22:23:26 UTC
Created mingw32-openssl tracking bugs for this issue

Affects: epel-5 [bug 920869]

Comment 44 Tomas Hoger 2013-03-12 22:23:30 UTC
Created mingw-openssl tracking bugs for this issue

Affects: fedora-all [bug 920868]

Comment 45 errata-xmlrpc 2013-03-13 14:47:46 UTC
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0636 https://rhn.redhat.com/errata/RHSA-2013-0636.html

Comment 48 errata-xmlrpc 2013-05-01 18:04:36 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0783 https://rhn.redhat.com/errata/RHSA-2013-0783.html

Comment 49 errata-xmlrpc 2013-05-01 18:04:52 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0782 https://rhn.redhat.com/errata/RHSA-2013-0782.html

Comment 52 errata-xmlrpc 2013-05-14 17:59:06 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0823 https://rhn.redhat.com/errata/RHSA-2013-0823.html

Comment 53 errata-xmlrpc 2013-05-14 18:01:50 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0822 https://rhn.redhat.com/errata/RHSA-2013-0822.html

Comment 54 errata-xmlrpc 2013-05-20 14:33:04 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html

Comment 59 errata-xmlrpc 2013-05-22 18:43:25 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0855 https://rhn.redhat.com/errata/RHSA-2013-0855.html

Comment 60 errata-xmlrpc 2013-07-03 16:19:11 UTC
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html

Comment 61 errata-xmlrpc 2013-10-23 16:39:11 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.5

Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html

Comment 62 errata-xmlrpc 2013-10-23 16:50:34 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html

Comment 63 errata-xmlrpc 2014-04-17 12:27:11 UTC
This issue has been addressed in following products:

  RHEV Manager version 3.3

Via RHSA-2014:0416 https://rhn.redhat.com/errata/RHSA-2014-0416.html


Note You need to log in before you can comment on or make changes to this bug.