CVE-2013-0169

SSL/TLS: CBC padding timing attack (lucky-13)

Severity Score

2.6

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

El protocolo TLS v1.1 y v1.2 y el protocolo DTLS v1.0 y v1.2, tal como se utiliza en OpenSSL, OpenJDK, PolarSSL, y otros productos, no considera adecuadamente ataques a un requisito de verificación MAC durante el proceso de relleno CBC malformado, lo que permite a atacantes remotos para realizar ataques distintivos y los ataques de recuperación de texto plano través del análisis estadístico de los datos de tiempo de los paquetes hechos a mano, también conocido como el "Lucky Thirteen" de emisión.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2012-12-06 CVE Reserved
2013-02-05 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-310: Cryptographic Issues

CAPEC

References (57)

URL	Tag	Source
http://blog.fuseyism.com/index.php/2013/02/20/security-icedtea-2-1-6-2-2-6-2-3-7-for-openjdk-7-released	Third Party Advisory
http://openwall.com/lists/oss-security/2013/02/05/24	Mailing List
http://secunia.com/advisories/53623	Third Party Advisory
http://secunia.com/advisories/55108	Third Party Advisory
http://secunia.com/advisories/55139	Third Party Advisory
http://secunia.com/advisories/55322	Third Party Advisory
http://secunia.com/advisories/55350	Third Party Advisory
http://secunia.com/advisories/55351	Third Party Advisory
http://support.apple.com/kb/HT5880	Third Party Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21644047	Third Party Advisory
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf	Third Party Advisory
http://www.kb.cert.org/vuls/id/737740	Third Party Advisory
http://www.matrixssl.org/news.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/javacpufeb2013update-1905892.html	Third Party Advisory
http://www.securityfocus.com/bid/57778	Third Party Advisory
http://www.securitytracker.com/id/1029190	Third Party Advisory
http://www.splunk.com/view/SP-CAAAHXG	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA13-051A.html	Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdf	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2018/09/msg00029.html	Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18841	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19016	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19424	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19540	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19608	Signature
https://puppet.com/security/cve/cve-2013-0169	Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-c03883001	Third Party Advisory
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html	2023-05-12
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.html	2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.html	2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.html	2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.html	2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.html	2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.html	2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.html	2023-05-12
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html	2023-05-12
http://marc.info/?l=bugtraq&m=136396549913849&w=2	2023-05-12
http://marc.info/?l=bugtraq&m=136432043316835&w=2	2023-05-12
http://marc.info/?l=bugtraq&m=136439120408139&w=2	2023-05-12
http://marc.info/?l=bugtraq&m=136733161405818&w=2	2023-05-12
http://marc.info/?l=bugtraq&m=137545771702053&w=2	2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-0587.html	2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-0782.html	2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-0783.html	2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-0833.html	2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-1455.html	2023-05-12
http://rhn.redhat.com/errata/RHSA-2013-1456.html	2023-05-12
http://security.gentoo.org/glsa/glsa-201406-32.xml	2023-05-12
http://www.debian.org/security/2013/dsa-2621	2023-05-12
http://www.debian.org/security/2013/dsa-2622	2023-05-12
http://www.mandriva.com/security/advisories?name=MDVSA-2013:095	2023-05-12
http://www.openssl.org/news/secadv_20130204.txt	2023-05-12
http://www.ubuntu.com/usn/USN-1735-1	2023-05-12
https://polarssl.org/tech-updates/releases/polarssl-1.2.5-released	2023-05-12
https://access.redhat.com/security/cve/CVE-2013-0169	2020-10-27
https://bugzilla.redhat.com/show_bug.cgi?id=907589	2020-10-27

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 0.9.8 <= 0.9.8x Search vendor "Openssl" for product "Openssl" and version " >= 0.9.8 <= 0.9.8x"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.0.0 <= 1.0.0j Search vendor "Openssl" for product "Openssl" and version " >= 1.0.0 <= 1.0.0j"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.0.1 <= 1.0.1d Search vendor "Openssl" for product "Openssl" and version " >= 1.0.1 <= 1.0.1d"		-		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		-		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update1		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update10		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update11		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update12		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update13		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update14		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update15		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update16		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update17		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update18		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update19		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update2		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update20		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update21		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update22		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update23		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update24		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update25		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update26		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update27		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update29		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update3		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update30		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update31		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update32		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update33		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update34		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update35		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update37		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update38		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update4		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update5		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update6		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.6.0 Search vendor "Oracle" for product "Openjdk" and version "1.6.0"		update7		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update1		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update10		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update11		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update13		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update2		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update3		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update4		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update5		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update6		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update7		Affected
Oracle Search vendor "Oracle"		Openjdk Search vendor "Oracle" for product "Openjdk"				1.7.0 Search vendor "Oracle" for product "Openjdk" and version "1.7.0"		update9		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.10.0 Search vendor "Polarssl" for product "Polarssl" and version "0.10.0"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.10.1 Search vendor "Polarssl" for product "Polarssl" and version "0.10.1"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.11.0 Search vendor "Polarssl" for product "Polarssl" and version "0.11.0"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.11.1 Search vendor "Polarssl" for product "Polarssl" and version "0.11.1"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.12.0 Search vendor "Polarssl" for product "Polarssl" and version "0.12.0"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.12.1 Search vendor "Polarssl" for product "Polarssl" and version "0.12.1"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.13.1 Search vendor "Polarssl" for product "Polarssl" and version "0.13.1"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.14.0 Search vendor "Polarssl" for product "Polarssl" and version "0.14.0"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.14.2 Search vendor "Polarssl" for product "Polarssl" and version "0.14.2"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.14.3 Search vendor "Polarssl" for product "Polarssl" and version "0.14.3"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.99 Search vendor "Polarssl" for product "Polarssl" and version "0.99"		pre1		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.99 Search vendor "Polarssl" for product "Polarssl" and version "0.99"		pre3		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.99 Search vendor "Polarssl" for product "Polarssl" and version "0.99"		pre4		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				0.99 Search vendor "Polarssl" for product "Polarssl" and version "0.99"		pre5		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				1.0.0 Search vendor "Polarssl" for product "Polarssl" and version "1.0.0"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				1.1.0 Search vendor "Polarssl" for product "Polarssl" and version "1.1.0"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				1.1.0 Search vendor "Polarssl" for product "Polarssl" and version "1.1.0"		rc0		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				1.1.0 Search vendor "Polarssl" for product "Polarssl" and version "1.1.0"		rc1		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				1.1.1 Search vendor "Polarssl" for product "Polarssl" and version "1.1.1"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				1.1.2 Search vendor "Polarssl" for product "Polarssl" and version "1.1.2"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				1.1.3 Search vendor "Polarssl" for product "Polarssl" and version "1.1.3"		-		Affected
Polarssl Search vendor "Polarssl"		Polarssl Search vendor "Polarssl" for product "Polarssl"				1.1.4 Search vendor "Polarssl" for product "Polarssl" and version "1.1.4"		-		Affected