Bug 907589 - (CVE-2013-0169, Lucky13) CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130204,repor...
: Security
Depends On: 907982 911051 911052 911061 911063 919303 919304 920868 920869
Blocks: 906729 907592 920007 954223 959037
  Show dependency treegraph
 
Reported: 2013-02-04 14:16 EST by Vincent Danen
Modified: 2014-10-15 06:59 EDT (History)
27 users (show)

See Also:
Fixed In Version: openssl 1.0.1d, openssl 1.0.0k, openssl 0.9.8y, polarssl 1.2.5, icedtea6 1.11.8, icedtea6 1.12.3, icedtea7 2.1.6, icedtea7 2.2.6, icedtea7 2.3.7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-07-03 14:06:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2013-02-04 14:16:50 EST
A flaw in how TLS/DTLS, when CBC-mode encryption is used, communicates was reported.  This vulnerability can allow for a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection, when CBC-mode encryption is used.

This flaw is in the TLS specification, and not a bug in a specific implementation (as such, it affects nearly all implementations).  As such, it affects all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2.  It also applies to implementations of SSL 3.0 and TLS 1.0 that incorporate countermeasures to deal with previous padding oracle attacks.  All TLS/DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.

The paper indicates that with OpenSSL, a full plaintext recovery attack is possible, and with GnuTLS, a partial plaintext recovery is possible (recovering up to 4 bits of the last byte in any block of plaintext).

To perform a successful attack, when TLS is used, a large number of TLS sessions are required (target plaintext must be sent repeatedly in the same position in the plaintext stream across the sessions).  For DTLS, a successful attack can be carried out in a single session.  The attacker must also be located close to the machine being attacked.

Further details are noted in the paper.

Current status of fixes in various implementations:

* OpenSSL has a patch in development
* NSS has a patch in development
* GnuTLS is fixed in versions 2.12.23, 3.0.28, and 3.1.7
* PolarSSL is fixed in version 1.2.5
* BouncyCastle has a patch that will be included in the forthcoming 1.48 version

Full paper:

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

External References:

http://www.isg.rhul.ac.uk/tls/
http://www.openssl.org/news/secadv_20130205.txt
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released
Comment 3 Vincent Danen 2013-02-05 10:25:43 EST
Created polarssl tracking bugs for this issue

Affects: fedora-all [bug 907982]
Comment 6 Vincent Danen 2013-02-05 12:01:02 EST
This is fixed in OpenSSL 1.0.1d, 1.0.0k, and 0.9.8y and referenced as CVE-2013-0169.  What is unclear is whether or not this CVE is for the OpenSSL implementation or whether it is for all implementations (the question has been asked on oss-sec).

OpenSSL advisory:

http://www.openssl.org/news/secadv_20130205.txt
Comment 7 Orcan Ogetbil 2013-02-05 20:34:45 EST
Hi, the bouncycastle update is problematic. Namely, we are stuck with version 1.46 because the later version (1.47) comes with backward incompatible API changes. This affects the dependent libraries, in particular itext. Unfortunately we are also stuck with itext-2.1.7 because the next version series (itext-5.*) was vetoed by FE-Legal. 

Note that I do not maintain bouncycastle any more. I dropped my maintainership last August after an announcement in the Fedora-devel mailing list. To my knowledge no one picked it up yet, which makes me wonder why this bug CCd me. I can still provide some help though if you can supply a patch. If you provide a patch for bouncycastle-1.46 we can get around this problem.
Comment 8 Huzaifa S. Sidhpurwala 2013-02-05 23:03:03 EST
Mozilla has assigned CVE-2013-1620 for this issue affecting nss.

References:

Upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=822365
Upstream is still working on the final patch.
Comment 10 Huzaifa S. Sidhpurwala 2013-02-06 03:02:15 EST
Here are the CVEs which have been assigned to this issue, affecting various products.

SSL/TLS protocol / OpenSSL               CVE-2013-0169  (this bug)
Mozilla Network Security Services (NSS)  CVE-2013-1620  (bug 908234)
GnuTLS                                   CVE-2013-1619  (bug 908238)
PolarSSL                                 three CVEs (see below)
    PolarSSL - TLS and DTLS protocol issue:      CVE-2013-0169  (this bug)
    PolarSSL - out-of-bounds comparisons:        CVE-2013-1621  (bug 908423)
    PolarSSL - lack of MAC check in some cases:  CVE-2013-1622  (bug 908425)
BouncyCastle                             CVE-2013-1624  (bug 908428)
yaSSL                                    CVE-2013-1623  (bug 908445)
Comment 11 Huzaifa S. Sidhpurwala 2013-02-06 03:38:11 EST
This bug is used for CVE-2013-0169
Comment 12 Tomas Hoger 2013-02-06 04:40:50 EST
(In reply to comment #7)
> Note that I do not maintain bouncycastle any more. I dropped my
> maintainership last August after an announcement in the Fedora-devel mailing
> list. To my knowledge no one picked it up yet, which makes me wonder why
> this bug CCd me.

Owners (and initial CC list members) of affected components are added to the CC list of security bugs by a script used to create these bugs.  You got CCed here because bugzilla notes you as both owner and initial CC list member for component bouncycastle and product Fedora.
Comment 13 Tomas Hoger 2013-02-06 09:39:57 EST
OpenSSL fixes seems to be split across several commits:

0.9.8:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=270881316664396326c461ec7a124aec2c6cc081
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=35a65e814beb899fa1c69a7673a8956c6059dce7
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=a33e6702a0db1b9f4648d247b8b28a5c0e42ca13
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=2928cb4c82d6516d9e65ede4901a5957d8c39c32
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b3a959a337b8083bc855623f24cebaf43a477350
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=be88529753897c29c677d1becb321f0072c0659c
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=99f5093347c65eecbd05f0668aea94b32fcf20d7
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=24b28060975c01b749391778d13ec2ea1323a1aa
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=924b11742296c13816a9f301e76fea023003920c
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=1909df070fb5c5b87246a2de19c17588deba5818
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=33ccde59a1ece0f68cc4b64e930001ab230725b1
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=5f9345a2f0b592457fc4a619ac98ea59ffd394ba
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=40e0de03955e218f45a7979cb46fba193f4e7fc2

1.0.0:
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=9c00a950604aca819cee977f1dcb4b45f2af3aa6
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=e5420be6cd09af2550b128575a675490cfba0483
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f852b60797dc68aa86c99c4f7b905488d1538d99
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=080f39539295d2c7c932e79dd670526b90a215a8
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=610dfc3ef4c4019394534023115226f4ed0e7204
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=b23da2919b332fd83fa6de87caacb0651f64a3f5
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3cdaca2436643908863c6a62918b0d9703477655
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=11c48a0fd20d2ec091fde218449f3ba0ff1cf672
http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=33f44acbbe83ab718ae15c0d2c6a57e802705a36
Comment 14 Tomas Mraz 2013-02-06 14:37:42 EST
It seems that there are some problems with openssl-1.0.1d (at least, perhaps also with the older branch releases).
Comment 21 Tomas Hoger 2013-02-20 01:35:22 EST
This problem was addressed in Oracle Java SE 7u15, 6u41, 5.0u40 and 1.4.2_42:

http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html
Comment 22 Tomas Hoger 2013-02-20 03:37:18 EST
OpenJDK upstream fix, as included in IcedTea7 repositories:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/2a879243603d
Comment 23 errata-xmlrpc 2013-02-20 05:52:02 EST
This issue has been addressed in java-1.6.0-openjdk in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:0273 https://rhn.redhat.com/errata/RHSA-2013-0273.html
Comment 24 errata-xmlrpc 2013-02-20 06:12:16 EST
This issue has been addressed in java-1.6.0-openjdk in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:0274 https://rhn.redhat.com/errata/RHSA-2013-0274.html
Comment 25 errata-xmlrpc 2013-02-20 06:32:37 EST
This issue has been addressed in java-1.7.0-openjdk in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2013:0275 https://rhn.redhat.com/errata/RHSA-2013-0275.html
Comment 26 errata-xmlrpc 2013-02-20 16:45:07 EST
This issue has been addressed in java-1.7.0-oracle in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2013:0532 https://rhn.redhat.com/errata/RHSA-2013-0532.html
Comment 27 errata-xmlrpc 2013-02-20 16:46:23 EST
This issue has been addressed in java-1.6.0-sun in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0531 https://rhn.redhat.com/errata/RHSA-2013-0531.html
Comment 28 Tomas Hoger 2013-02-21 05:05:13 EST
Fixed in upstream IcedTea versions IcedTea6 1.11.8, and 1.12.3, and IcedTea7 2.1.6, 2.2.6, and 2.3.7:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/021998.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-February/022040.html
Comment 29 Tomas Hoger 2013-02-22 08:18:04 EST
(In reply to comment #22)
> OpenJDK upstream fix, as included in IcedTea7 repositories:
> 
> http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/2a879243603d

The same commit in upstream OpenJDK jdk7 repositories:

http://hg.openjdk.java.net/jdk7u/jdk7u-dev/jdk/rev/068448362d88
Comment 30 Mads Kiilerich 2013-02-24 18:41:33 EST
PolarSSL 1.2.5 with the fix(es) was already in rawhide.

PolarSSL do apparently still not have any users in Fedora, so I guess I will take the easy solution and just push 1.2.5 to f17 and f18.
Comment 33 Orcan Ogetbil 2013-02-26 09:07:13 EST
This does not seem like a really important vulnerability. Can someone explain why so many people (mostly redhat)  are working on this? Is this where redhat saves its resources for?

Thanks!
Comment 34 Bill Stein 2013-02-28 17:24:09 EST
For those of us who support products which embed the vulnerable component, this is a vital vulnerability.  Anything that is important to any of our customers is, by extension, important to us.
Comment 35 Orcan Ogetbil 2013-02-28 20:49:06 EST
Thank you for the explanation. I read (parts of) the paper, and from what I understand, a successful attack does not seem to be realistically probable. The paper itself regards this as "only a theoretical threat".

I really do not think this is vital. Well, that's just me. 

The attention this bug received just made me curious. The fact that there are so many parts of Fedora that need more love and manpower made me question the rationale behind distributing the resources. Sorry if that sounded rude, that was not my intention.
Comment 36 Tomas Mraz 2013-03-01 02:18:09 EST
I'd agree that in case of Fedora this attack is of very low severity. On the other hand in case of Fedora it was resolved by simple upgrades of the affected packages to new upstream releases so I don't see any waste of resources here.
Comment 37 Fedora Update System 2013-03-02 14:55:34 EST
openssl-1.0.1e-3.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 38 NoShelter 2013-03-04 10:07:21 EST
Are the fixes from the openssl packages still being backported to the Red Hat packages?  Specifically, I'm looking for the fixed version of openssl-0.9.8e-22.el5_8.4.
Comment 39 errata-xmlrpc 2013-03-04 16:16:02 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0587 https://rhn.redhat.com/errata/RHSA-2013-0587.html
Comment 40 Fedora Update System 2013-03-07 19:02:21 EST
openssl-1.0.0k-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 41 Tomas Hoger 2013-03-12 18:22:34 EDT
Created mingw32-openssl tracking bugs for this issue

Affects: epel-5 [bug 920869]
Comment 42 Tomas Hoger 2013-03-12 18:22:42 EDT
Created mingw-openssl tracking bugs for this issue

Affects: fedora-all [bug 920868]
Comment 43 Tomas Hoger 2013-03-12 18:23:26 EDT
Created mingw32-openssl tracking bugs for this issue

Affects: epel-5 [bug 920869]
Comment 44 Tomas Hoger 2013-03-12 18:23:30 EDT
Created mingw-openssl tracking bugs for this issue

Affects: fedora-all [bug 920868]
Comment 45 errata-xmlrpc 2013-03-13 10:47:46 EDT
This issue has been addressed in following products:

  RHEV-H and Agents for RHEL-6

Via RHSA-2013:0636 https://rhn.redhat.com/errata/RHSA-2013-0636.html
Comment 48 errata-xmlrpc 2013-05-01 14:04:36 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0783 https://rhn.redhat.com/errata/RHSA-2013-0783.html
Comment 49 errata-xmlrpc 2013-05-01 14:04:52 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0782 https://rhn.redhat.com/errata/RHSA-2013-0782.html
Comment 52 errata-xmlrpc 2013-05-14 13:59:06 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0823 https://rhn.redhat.com/errata/RHSA-2013-0823.html
Comment 53 errata-xmlrpc 2013-05-14 14:01:50 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0822 https://rhn.redhat.com/errata/RHSA-2013-0822.html
Comment 54 errata-xmlrpc 2013-05-20 10:33:04 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.1.0

Via RHSA-2013:0833 https://rhn.redhat.com/errata/RHSA-2013-0833.html
Comment 59 errata-xmlrpc 2013-05-22 14:43:25 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2013:0855 https://rhn.redhat.com/errata/RHSA-2013-0855.html
Comment 60 errata-xmlrpc 2013-07-03 12:19:11 EDT
This issue has been addressed in following products:

  Red Hat JBoss Web Server 2.0.1

Via RHSA-2013:1013 https://rhn.redhat.com/errata/RHSA-2013-1013.html
Comment 61 errata-xmlrpc 2013-10-23 12:39:11 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.5

Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html
Comment 62 errata-xmlrpc 2013-10-23 12:50:34 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html
Comment 63 errata-xmlrpc 2014-04-17 08:27:11 EDT
This issue has been addressed in following products:

  RHEV Manager version 3.3

Via RHSA-2014:0416 https://rhn.redhat.com/errata/RHSA-2014-0416.html

Note You need to log in before you can comment on or make changes to this bug.