CVE-2013-2566

Gentoo Linux Security Advisory 201406-19

Severity Score

5.9

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.

El algoritmo RC4, tal como se usa en el protocolo TLS y protocolo SSL, tiene muchos "single-byte biases", lo que hace que sea más fácil para atacantes remotos realizar ataques de recuperación de texto claro a través de análisis estadístico de texto cifrado en un gran número de sesiones que utilizan el mismo texto claro.

Multiple security issues was identified and fixed in mozilla NSPR, NSS, and firefox. Mozilla Network Security Services before 3.15.2 does not ensure that data structures are initialized before read operations, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a decryption failure. Integer overflow in Mozilla Network Security Services 3.15 before 3.15.3 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a large size value. Various other issues have also been addressed.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2013-03-14 CVE Reserved
2013-03-14 CVE Published
2024-08-06 CVE Updated
2025-03-20 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-326: Inadequate Encryption Strength

CAPEC

References (21)

URL	Tag	Source
http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html	Third Party Advisory
http://cr.yp.to/talks/2013.03.12/slides.pdf	Third Party Advisory
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705	Third Party Advisory
http://my.opera.com/securitygroup/blog/2013/03/20/on-the-precariousness-of-rc4	Third Party Advisory
http://www.isg.rhul.ac.uk/tls	Third Party Advisory
http://www.mozilla.org/security/announce/2013/mfsa2013-103.html	Third Party Advisory
http://www.opera.com/docs/changelogs/unified/1215	Third Party Advisory
http://www.opera.com/security/advisory/1046	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html	Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html	Third Party Advisory
http://www.securityfocus.com/bid/58796	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://marc.info/?l=bugtraq&m=143039468003789&w=2	2020-11-23
http://security.gentoo.org/glsa/glsa-201406-19.xml	2020-11-23
http://www.ubuntu.com/usn/USN-2031-1	2020-11-23
http://www.ubuntu.com/usn/USN-2032-1	2020-11-23
https://security.gentoo.org/glsa/201504-01	2020-11-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M3000 Firmware Search vendor "Fujitsu" for product "Sparc Enterprise M3000 Firmware"	>= xcp < xcp_1121 Search vendor "Fujitsu" for product "Sparc Enterprise M3000 Firmware" and version " >= xcp < xcp_1121"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M3000 Search vendor "Fujitsu" for product "Sparc Enterprise M3000"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M4000 Firmware Search vendor "Fujitsu" for product "Sparc Enterprise M4000 Firmware"	>= xcp < xcp_1121 Search vendor "Fujitsu" for product "Sparc Enterprise M4000 Firmware" and version " >= xcp < xcp_1121"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M4000 Search vendor "Fujitsu" for product "Sparc Enterprise M4000"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M5000 Firmware Search vendor "Fujitsu" for product "Sparc Enterprise M5000 Firmware"	>= xcp < xcp_1121 Search vendor "Fujitsu" for product "Sparc Enterprise M5000 Firmware" and version " >= xcp < xcp_1121"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M5000 Search vendor "Fujitsu" for product "Sparc Enterprise M5000"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M8000 Firmware Search vendor "Fujitsu" for product "Sparc Enterprise M8000 Firmware"	>= xcp < xcp_1121 Search vendor "Fujitsu" for product "Sparc Enterprise M8000 Firmware" and version " >= xcp < xcp_1121"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M8000 Search vendor "Fujitsu" for product "Sparc Enterprise M8000"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M9000 Firmware Search vendor "Fujitsu" for product "Sparc Enterprise M9000 Firmware"	>= xcp < xcp_1121 Search vendor "Fujitsu" for product "Sparc Enterprise M9000 Firmware" and version " >= xcp < xcp_1121"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	Sparc Enterprise M9000 Search vendor "Fujitsu" for product "Sparc Enterprise M9000"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M10-1 Firmware Search vendor "Fujitsu" for product "M10-1 Firmware"	>= xcp < xcp2280 Search vendor "Fujitsu" for product "M10-1 Firmware" and version " >= xcp < xcp2280"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M10-1 Search vendor "Fujitsu" for product "M10-1"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M10-4 Firmware Search vendor "Fujitsu" for product "M10-4 Firmware"	>= xcp < xcp2280 Search vendor "Fujitsu" for product "M10-4 Firmware" and version " >= xcp < xcp2280"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M10-4 Search vendor "Fujitsu" for product "M10-4"	-	-	Safe
Fujitsu Search vendor "Fujitsu"	M10-4s Firmware Search vendor "Fujitsu" for product "M10-4s Firmware"	>= xcp < xcp2280 Search vendor "Fujitsu" for product "M10-4s Firmware" and version " >= xcp < xcp2280"	-	Affected	in	Fujitsu Search vendor "Fujitsu"	M10-4s Search vendor "Fujitsu" for product "M10-4s"	-	-	Safe
Oracle Search vendor "Oracle"		Communications Application Session Controller Search vendor "Oracle" for product "Communications Application Session Controller"				>= 3.0.0 <= 3.9.1 Search vendor "Oracle" for product "Communications Application Session Controller" and version " >= 3.0.0 <= 3.9.1"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				11.1.1.7.0 Search vendor "Oracle" for product "Http Server" and version "11.1.1.7.0"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				11.1.1.9.0 Search vendor "Oracle" for product "Http Server" and version "11.1.1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				12.1.3.0.0 Search vendor "Oracle" for product "Http Server" and version "12.1.3.0.0"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				12.2.1.1.0 Search vendor "Oracle" for product "Http Server" and version "12.2.1.1.0"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				12.2.1.2.0 Search vendor "Oracle" for product "Http Server" and version "12.2.1.2.0"		-		Affected
Oracle Search vendor "Oracle"		Integrated Lights Out Manager Firmware Search vendor "Oracle" for product "Integrated Lights Out Manager Firmware"				>= 3.0.0 <= 3.2.11 Search vendor "Oracle" for product "Integrated Lights Out Manager Firmware" and version " >= 3.0.0 <= 3.2.11"		-		Affected
Oracle Search vendor "Oracle"		Integrated Lights Out Manager Firmware Search vendor "Oracle" for product "Integrated Lights Out Manager Firmware"				>= 4.0.0 <= 4.0.4 Search vendor "Oracle" for product "Integrated Lights Out Manager Firmware" and version " >= 4.0.0 <= 4.0.4"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"		esm		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				12.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				13.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "13.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				13.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "13.10"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Search vendor "Mozilla" for product "Firefox"				< 25.0.1 Search vendor "Mozilla" for product "Firefox" and version " < 25.0.1"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				< 17.0.11 Search vendor "Mozilla" for product "Firefox Esr" and version " < 17.0.11"		-		Affected
Mozilla Search vendor "Mozilla"		Firefox Esr Search vendor "Mozilla" for product "Firefox Esr"				>= 24.1.0 < 24.1.1 Search vendor "Mozilla" for product "Firefox Esr" and version " >= 24.1.0 < 24.1.1"		-		Affected
Mozilla Search vendor "Mozilla"		Seamonkey Search vendor "Mozilla" for product "Seamonkey"				< 2.22.1 Search vendor "Mozilla" for product "Seamonkey" and version " < 2.22.1"		-		Affected
Mozilla Search vendor "Mozilla"		Thunderbird Search vendor "Mozilla" for product "Thunderbird"				< 24.1.1 Search vendor "Mozilla" for product "Thunderbird" and version " < 24.1.1"		-		Affected
Mozilla Search vendor "Mozilla"		Thunderbird Esr Search vendor "Mozilla" for product "Thunderbird Esr"				< 17.0.11 Search vendor "Mozilla" for product "Thunderbird Esr" and version " < 17.0.11"		-		Affected