CVE-2013-2566
MEDIUMCVSS 5.9/10EPSS 84.42%
Last modified
CVE-2013-2566 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.. EPSS estimates a 84.42% chance of exploitation in the next 30 days.
Description
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Communications Application Session Controller | >= 3.0.0, <= 3.9.1 |
| Oracle | Http Server | 11.1.1.7.0 |
| Oracle | Http Server | 11.1.1.9.0 |
| Oracle | Http Server | 12.1.3.0.0 |
| Oracle | Http Server | 12.2.1.1.0 |
| Oracle | Http Server | 12.2.1.2.0 |
| Oracle | Integrated Lights Out Manager Firmware | >= 3.0.0, <= 3.2.11 |
| Oracle | Integrated Lights Out Manager Firmware | >= 4.0.0, <= 4.0.4 |
| Fujitsu | Sparc Enterprise M3000 Firmware | >= xcp, < xcp_1121 |
| Fujitsu | Sparc Enterprise M4000 Firmware | >= xcp, < xcp_1121 |
| Fujitsu | Sparc Enterprise M5000 Firmware | >= xcp, < xcp_1121 |
| Fujitsu | Sparc Enterprise M8000 Firmware | >= xcp, < xcp_1121 |
| Fujitsu | Sparc Enterprise M9000 Firmware | >= xcp, < xcp_1121 |
| Fujitsu | M10-1 Firmware | >= xcp, < xcp2280 |
| Fujitsu | M10-4 Firmware | >= xcp, < xcp2280 |
| Fujitsu | M10-4s Firmware | >= xcp, < xcp2280 |
| Canonical | Ubuntu Linux | 12.04 |
| Canonical | Ubuntu Linux | 12.10 |
| Canonical | Ubuntu Linux | 13.04 |
| Canonical | Ubuntu Linux | 13.10 |
| Mozilla | Firefox | < 17.0.11 |
| Mozilla | Firefox | < 25.0.1 |
| Mozilla | Firefox | >= 24.1.0, < 24.1.1 |
| Mozilla | Seamonkey | < 2.22.1 |
| Mozilla | Thunderbird | < 24.1.1 |
| Mozilla | Thunderbird Esr | < 17.0.11 |
References
- http://cr.yp.to/talks/2013.03.12/slides.pdfThird Party Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705Third Party Advisory
- http://marc.info/?l=bugtraq&m=143039468003789&w=2Issue Tracking, Third Party Advisory
- http://my.opera.com/securitygroup/blog/2013/03/20/on-the-precariousness-of-rc4Third Party Advisory
- http://security.gentoo.org/glsa/glsa-201406-19.xmlThird Party Advisory
- http://www.isg.rhul.ac.uk/tls/Third Party Advisory
- http://www.mozilla.org/security/announce/2013/mfsa2013-103.htmlThird Party Advisory
- http://www.opera.com/docs/changelogs/unified/1215/Third Party Advisory
- http://www.opera.com/security/advisory/1046Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlThird Party Advisory
- http://www.securityfocus.com/bid/58796Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2031-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-2032-1Third Party Advisory
- https://security.gentoo.org/glsa/201504-01Third Party Advisory
- http://cr.yp.to/talks/2013.03.12/slides.pdfThird Party Advisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705Third Party Advisory
- http://marc.info/?l=bugtraq&m=143039468003789&w=2Issue Tracking, Third Party Advisory
- http://my.opera.com/securitygroup/blog/2013/03/20/on-the-precariousness-of-rc4Third Party Advisory
- http://security.gentoo.org/glsa/glsa-201406-19.xmlThird Party Advisory
- http://www.isg.rhul.ac.uk/tls/Third Party Advisory
- http://www.mozilla.org/security/announce/2013/mfsa2013-103.htmlThird Party Advisory
- http://www.opera.com/docs/changelogs/unified/1215/Third Party Advisory
- http://www.opera.com/security/advisory/1046Third Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlThird Party Advisory
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlThird Party Advisory
- http://www.securityfocus.com/bid/58796Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-2031-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-2032-1Third Party Advisory
- https://security.gentoo.org/glsa/201504-01Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2013-2566?
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
How severe is CVE-2013-2566?
CVE-2013-2566 has a CVSS score of 5.9/10 (MEDIUM severity). The EPSS model estimates a 84.42% probability of exploitation in the next 30 days.
How do I fix CVE-2013-2566?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2013-2566?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST