CVE-2017-13098 – BouncyCastle JCE TLS Bleichenbacher/ROBOT
https://notcve.org/view.php?id=CVE-2017-13098
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT." BouncyCastle TLS, en versiones anteriores a la 1.0.3 cuando está configurado para utilizar la JCE (Java Cryptography Extension) para funciones criptográficas, proporciona un oráculo de Bleichenbacher débil cuando se negocia una suite de cifrado TLS que utiliza un intercambio de claves RSA. Un atacante puede recuperar la clave privada desde una aplicación vulnerable. • http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html http://www.kb.cert.org/vuls/id/144389 http://www.securityfocus.com/bid/102195 https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c https://robotattack.org https://security.netapp.com/advisory/ntap-20171222-0001 https://www.debian.org/security/2017/dsa-4072 https://www.oracle.com/security-alerts/cpuoct2020.html • CWE-203: Observable Discrepancy •
CVE-2016-2427
https://notcve.org/view.php?id=CVE-2016-2427
The AES-GCM specification in RFC 5084, as used in Android 5.x and 6.x, recommends 12 octets for the aes-ICVlen parameter field, which might make it easier for attackers to defeat a cryptographic protection mechanism and discover an authentication key via a crafted application, aka internal bug 26234568. NOTE: The vendor disputes the existence of this potential issue in Android, stating "This CVE was raised in error: it referred to the authentication tag size in GCM, whose default according to ASN.1 encoding (12 bytes) can lead to vulnerabilities. After careful consideration, it was decided that the insecure default value of 12 bytes was a default only for the encoding and not default anywhere else in Android, and hence no vulnerability existed. **DISPUTADA** La especificación AES-GCM en RFC 5084,como es utilizado en Android 5.x y 6.x, recomienda 12 octetos para el campo de parámetro aes-ICVlen, lo que podría facilitar a atacantes derrotar el mecanismo de protección criptográfico y descubrir una clave de autenticación a través de una aplicación manipulada, también conocido como error interno 26234568. NOTA: El vendedor disputa la existencia de este potencial problema en Android, indicando que "Esta CVE fue levantada por error: se refería al tamaño de la etiqueta de autenticación en GCM, cuyo defecto de acuerdo con la codificación ASN.1 (12 bytes) puede llevar a vulnerabilidades. • http://source.android.com/security/bulletin/2016-04-02.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2015-7940 – bouncycastle: Invalid curve attack allowing to extract private keys
https://notcve.org/view.php?id=CVE-2015-7940
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack." La librería Bouncy Castle Java en versiones anteriores a 1.51 no valida un punto que se encuentra dentro de la curva elíptica, lo que facilita a atacantes remotos obtener claves privadas a través de una serie de intercambios de clave de curva elíptica Diffie Hellman (ECDH) manipulados, también conocida como un 'ataque de curva no válida'. It was found that bouncycastle is vulnerable to an invalid curve attack. An attacker could extract private keys used in elliptic curve cryptography with a few thousand queries. • http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html http://rhn.redhat.com/errata/RHSA-2016-2035.html http://rhn.redhat.com/errata/RHSA-2016-2036.html http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html http://www.debian.org/security/2015/dsa-3417 http://www.openwall.com/lists/oss-security/2015/10/22/7 http://www.openwall.com/lists/oss-security • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-310: Cryptographic Issues CWE-358: Improperly Implemented Security Check for Standard •
CVE-2013-1624 – bouncycastle: TLS CBC padding timing attack
https://notcve.org/view.php?id=CVE-2013-1624
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169. La implementación de TLS en la biblioteca Java de Bouncy Castle antes v1.48 y biblioteca C# antes de v1.8 no tiene debidamente en cuenta los ataques de tiempo al canal lateral en la operación de comprobación de incumplimiento MAC durante el proceso de relleno del CBC malformado, lo que permite a atacantes remotos realizar ataques distintivos y de texto plano, ataques de recuperación a través de análisis estadísticode tiempo de los paquetes hechos a mano, una cuestión relacionada con CVE-2013-0169. It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle. • http://openwall.com/lists/oss-security/2013/02/05/24 http://rhn.redhat.com/errata/RHSA-2014-0371.html http://rhn.redhat.com/errata/RHSA-2014-0372.html http://secunia.com/advisories/57716 http://secunia.com/advisories/57719 http://www.isg.rhul.ac.uk/tls/TLStiming.pdf https://access.redhat.com/security/cve/CVE-2013-1624 https://bugzilla.redhat.com/show_bug.cgi?id=908428 • CWE-310: Cryptographic Issues CWE-385: Covert Timing Channel •
CVE-2007-6721
https://notcve.org/view.php?id=CVE-2007-6721
The Legion of the Bouncy Castle Java Cryptography API before release 1.38, as used in Crypto Provider Package before 1.36, has unknown impact and remote attack vectors related to "a Bleichenbacher vulnerability in simple RSA CMS signatures without signed attributes." La Legión de la API de Bouncy Castle Java Cryptography anterior a versión 1.38, como es usada en Crypto Provider Package anterior a versión 1.36, presenta un impacto desconocido y vectores de ataque remoto relacionados con "a Bleichenbacher vulnerability in simple RSA CMS signatures without signed attributes". • http://freshmeat.net/projects/bouncycastlecryptoapi/releases/265580 http://www.bouncycastle.org/csharp http://www.bouncycastle.org/devmailarchive/msg08195.html http://www.bouncycastle.org/releasenotes.html http://www.osvdb.org/50358 http://www.osvdb.org/50359 http://www.osvdb.org/50360 •