CVE-2013-0169
UnknownEPSS 35.58%
Last modified
CVE-2013-0169 is a vulnerability of currently unknown severity. The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.. EPSS estimates a 35.58% chance of exploitation in the next 30 days.
Description
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Openssl | Openssl | >= 0.9.8, <= 0.9.8x | — |
| Openssl | Openssl | >= 1.0.0, <= 1.0.0j | — |
| Openssl | Openssl | >= 1.0.1, <= 1.0.1d | — |
| Oracle | Openjdk | 1.6.0 | — |
| Oracle | Openjdk | 1.7.0 | — |
| Polarssl | Polarssl | 0.10.0 | — |
| Polarssl | Polarssl | 0.10.1 | — |
| Polarssl | Polarssl | 0.11.0 | — |
| Polarssl | Polarssl | 0.11.1 | — |
| Polarssl | Polarssl | 0.12.0 | — |
| Polarssl | Polarssl | 0.12.1 | — |
| Polarssl | Polarssl | 0.13.1 | — |
| Polarssl | Polarssl | 0.14.0 | — |
| Polarssl | Polarssl | 0.14.2 | — |
| Polarssl | Polarssl | 0.14.3 | — |
| Polarssl | Polarssl | 0.99 | Pre1 |
| Polarssl | Polarssl | 1.0.0 | — |
| Polarssl | Polarssl | 1.1.0 | — |
| Polarssl | Polarssl | 1.1.1 | — |
| Polarssl | Polarssl | 1.1.2 | — |
| Polarssl | Polarssl | 1.1.3 | — |
| Polarssl | Polarssl | 1.1.4 | — |
References
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlThird Party Advisory
- http://marc.info/?l=bugtraq&m=136396549913849&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=136432043316835&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=136439120408139&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=136733161405818&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=137545771702053&w=2Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0587.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0782.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0783.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0833.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1455.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1456.htmlThird Party Advisory
- http://secunia.com/advisories/53623Third Party Advisory
- http://secunia.com/advisories/55108Third Party Advisory
- http://secunia.com/advisories/55139Third Party Advisory
- http://secunia.com/advisories/55322Third Party Advisory
- http://secunia.com/advisories/55350Third Party Advisory
- http://secunia.com/advisories/55351Third Party Advisory
- http://security.gentoo.org/glsa/glsa-201406-32.xmlThird Party Advisory
- http://support.apple.com/kb/HT5880Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21644047Third Party Advisory
- http://www.debian.org/security/2013/dsa-2621Third Party Advisory
- http://www.debian.org/security/2013/dsa-2622Third Party Advisory
- http://www.isg.rhul.ac.uk/tls/TLStiming.pdfThird Party Advisory
- http://www.kb.cert.org/vuls/id/737740Third Party Advisory, US Government Resource
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:095Third Party Advisory
- http://www.matrixssl.org/news.htmlThird Party Advisory
- http://www.openssl.org/news/secadv_20130204.txtVendor Advisory
- http://www.securityfocus.com/bid/57778Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1029190Third Party Advisory, VDB Entry
- http://www.splunk.com/view/SP-CAAAHXGThird Party Advisory
- http://www.ubuntu.com/usn/USN-1735-1Third Party Advisory
- http://www.us-cert.gov/cas/techalerts/TA13-051A.htmlThird Party Advisory, US Government Resource
- https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdfThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/09/msg00029.htmlThird Party Advisory
- https://puppet.com/security/cve/cve-2013-0169Third Party Advisory
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084Third Party Advisory
- http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.htmlMailing List, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101366.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00020.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00000.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00002.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00020.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2015-03/msg00027.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.htmlThird Party Advisory
- http://marc.info/?l=bugtraq&m=136396549913849&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=136432043316835&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=136439120408139&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=136733161405818&w=2Third Party Advisory
- http://marc.info/?l=bugtraq&m=137545771702053&w=2Third Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0587.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0782.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0783.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-0833.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1455.htmlThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2013-1456.htmlThird Party Advisory
- http://secunia.com/advisories/53623Third Party Advisory
- http://secunia.com/advisories/55108Third Party Advisory
- http://secunia.com/advisories/55139Third Party Advisory
- http://secunia.com/advisories/55322Third Party Advisory
- http://secunia.com/advisories/55350Third Party Advisory
- http://secunia.com/advisories/55351Third Party Advisory
- http://security.gentoo.org/glsa/glsa-201406-32.xmlThird Party Advisory
- http://support.apple.com/kb/HT5880Third Party Advisory
- http://www-01.ibm.com/support/docview.wss?uid=swg21644047Third Party Advisory
- http://www.debian.org/security/2013/dsa-2621Third Party Advisory
- http://www.debian.org/security/2013/dsa-2622Third Party Advisory
- http://www.isg.rhul.ac.uk/tls/TLStiming.pdfThird Party Advisory
- http://www.kb.cert.org/vuls/id/737740Third Party Advisory, US Government Resource
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:095Third Party Advisory
- http://www.matrixssl.org/news.htmlThird Party Advisory
- http://www.openssl.org/news/secadv_20130204.txtVendor Advisory
- http://www.securityfocus.com/bid/57778Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1029190Third Party Advisory, VDB Entry
- http://www.splunk.com/view/SP-CAAAHXGThird Party Advisory
- http://www.ubuntu.com/usn/USN-1735-1Third Party Advisory
- http://www.us-cert.gov/cas/techalerts/TA13-051A.htmlThird Party Advisory, US Government Resource
- https://cert-portal.siemens.com/productcert/pdf/ssa-556833.pdfThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/09/msg00029.htmlThird Party Advisory
- https://puppet.com/security/cve/cve-2013-0169Third Party Advisory
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0084Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-0169?
The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.
How severe is CVE-2013-0169?
Severity scoring for CVE-2013-0169 is pending analysis. The EPSS model estimates a 35.58% probability of exploitation in the next 30 days.
How do I fix CVE-2013-0169?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2013-0169?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST