Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce - OpenSSL: information disclosure in CBC mode, Lucky 13

February 2013 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can inject wrong encrypted messages in a TLS/DTLS
session in mode CBC, and measure the delay before the error
message reception, in order to progressively guess the clear
content of the session.

Impacted products: Debian, OpenSSL, Slackware

Severity: 1/4

Creation date: 12/02/2013

DESCRIPTION OF THE VULNERABILITY

The bulletin VIGILANCE-VUL-12374 (https://vigilance.fr/tree/1/12374)
describes a vulnerability of TLS/DTLS.

For OpenSSL, the solution VIGILANCE-SOL-28668
(https://vigilance.fr/tree/2/28668) corrected this vulnerability.
However, this solution was not complete.

An attacker can therefore still inject wrong encrypted messages in
a TLS/DTLS session in mode CBC, and measure the delay before the
error message reception, in order to progressively guess the clear
content of the session.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/OpenSSL-information-disclosure-in-CBC-mode-Lucky-13-12394


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts