Lucene search
This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-2622.NASLHistoryFeb 14, 2013 - 12:00 a.m.
Debian DSA-2622-1 : polarssl - several vulnerabilities
2013-02-1400:00:00
This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
16
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.007 Low
EPSS
Percentile
80.3%
Multiple vulnerabilities have been found in PolarSSL. The Common Vulnerabilities and Exposures project identifies the following issues :
-
CVE-2013-0169 A timing side channel attack has been found in CBC padding allowing an attacker to recover pieces of plaintext via statistical analysis of crafted packages, known as the āLucky Thirteenā issue.
-
CVE-2013-1621 An array index error might allow remote attackers to cause a denial of service via vectors involving a crafted padding-length value during validation of CBC padding in a TLS session.
-
CVE-2013-1622 Malformed CBC data in a TLS session could allow remote attackers to conduct distinguishing attacks via statistical analysis of timing side-channel data for crafted packets.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DSA-2622. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(64624);
script_version("1.26");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");
script_cve_id("CVE-2013-0169", "CVE-2013-1621");
script_bugtraq_id(57776, 57778, 57781);
script_xref(name:"DSA", value:"2622");
script_xref(name:"CEA-ID", value:"CEA-2019-0547");
script_name(english:"Debian DSA-2622-1 : polarssl - several vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
script_set_attribute(attribute:"description", value:
"Multiple vulnerabilities have been found in PolarSSL. The Common
Vulnerabilities and Exposures project identifies the following issues
:
- CVE-2013-0169
A timing side channel attack has been found in CBC
padding allowing an attacker to recover pieces of
plaintext via statistical analysis of crafted packages,
known as the 'Lucky Thirteen' issue.
- CVE-2013-1621
An array index error might allow remote attackers to
cause a denial of service via vectors involving a
crafted padding-length value during validation of CBC
padding in a TLS session.
- CVE-2013-1622
Malformed CBC data in a TLS session could allow remote
attackers to conduct distinguishing attacks via
statistical analysis of timing side-channel data for
crafted packets.");
script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=699887");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-0169");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-1621");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-1622");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/squeeze/polarssl");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2013/dsa-2622");
script_set_attribute(attribute:"solution", value:
"Upgrade the polarssl packages.
For the stable distribution (squeeze), these problems have been fixed
in version 0.12.1-1squeeze1.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"patch_publication_date", value:"2013/02/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/14");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:polarssl");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"6.0", prefix:"libpolarssl-dev", reference:"0.12.1-1squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"libpolarssl-runtime", reference:"0.12.1-1squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"libpolarssl0", reference:"0.12.1-1squeeze1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
| Vendor | Product | Version | CPE |
|---|---|---|---|
| debian | debian_linux | polarssl | p-cpe:/a:debian:debian_linux:polarssl |
| debian | debian_linux | 6.0 | cpe:/o:debian:debian_linux:6.0 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1621
bugs.debian.org/cgi-bin/bugreport.cgi?bug=699887
packages.debian.org/source/squeeze/polarssl
security-tracker.debian.org/tracker/CVE-2013-0169
security-tracker.debian.org/tracker/CVE-2013-1621
security-tracker.debian.org/tracker/CVE-2013-1622
www.debian.org/security/2013/dsa-2622
Related
debian
debian
[SECURITY] [DSA 2622-1] polarssl security update
2013-02-13 20:17:01
[SECURITY] [DSA 2621-1] openssl security update
2013-02-13 20:07:41
openvas
openvas
Debian: Security Advisory (DSA-2622-1)
2013-02-12 00:00:00
Debian Security Advisory DSA 2622-1 (polarssl - several vulnerabilities)
2013-02-13 00:00:00
Fedora Update for polarssl FEDORA-2013-18251
2013-10-15 00:00:00
securityvulns
securityvulns
osv
osv
polarssl - several
2013-02-13 00:00:00
Improper Input Validation in Bouncy Castle
2022-05-14 02:14:04
CVE-2016-2107
2016-05-05 01:59:00
nvd
nvd
cve
cve
ubuntucve
ubuntucve
cvelist
cvelist
prion
prion
Code injection
2013-02-08 19:55:00
Design/Logic Flaw
2013-02-08 19:55:00
Design/Logic Flaw
2013-02-08 19:55:00
fedora
fedora
[SECURITY] Fedora 18 Update: polarssl-1.2.9-1.fc18
2013-10-14 07:00:42
[SECURITY] Fedora 18 Update: polarssl-1.2.9-1.fc18
2013-10-14 17:17:04
[SECURITY] Fedora 18 Update: polarssl-1.2.8-1.fc18
2013-09-20 16:27:34
mageia
mageia
Updated polarssl package fixes security vulnerabilities
2013-09-25 01:41:53
ibm
ibm
veracode
veracode
Timing Attacks
2017-02-10 05:59:15
Timing Side- Channel Attack
2019-01-15 08:52:54
Padding Oracle Attack
2017-01-27 03:10:31
nessus
nessus
OpenSSL 1.0.1 < 1.0.1e Information Disclosure
2013-02-13 00:00:00
IBM GSKit 7.x < 7.0.4.45 / 8.0.14.x < 8.0.14.27 TLS Side-Channel Timing Information Disclosure
2013-07-10 00:00:00
Ipswitch IMail Server 11.x / 12.x < 12.3 Information Disclosure
2014-07-14 00:00:00
f5
f5
K14190 : TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
2015-04-30 00:00:00
SOL14190 - TLS/DTLS 'Lucky 13' vulnerability CVE-2013-0169
2013-02-08 00:00:00
K15622 : wolfSSL CyaSSL vulnerability CVE-2013-1623
2014-09-25 00:00:00
slackware
slackware
openssl
2013-02-11 23:49:59
openssl
openssl
Vulnerability in OpenSSL CVE-2013-0169
2013-02-04 00:00:00
hackerone
hackerone
Legal Robot: LUCKY13 (CVE-2013-0169) effects legalrobot.com
2017-07-30 20:00:47
debiancve
debiancve
pentestpartners
pentestpartners
Vulnerabilities that (mostly) arenāt: LUCKY13
2024-05-03 05:12:27
gentoo
gentoo
PolarSSL: Multiple vulnerabilities
2013-10-17 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 7 package openssl10 version 1.0.0k-alt1
2013-02-27 00:00:00
Security fix for the ALT Linux 6 package openssl10 version 1.0.0k-alt1
2013-02-27 00:00:00
Security fix for the ALT Linux 9 package openssl1.1 version 1.0.0k-alt1
2013-02-27 00:00:00
oraclelinux
oraclelinux
java-1.6.0-openjdk security update
2013-02-20 00:00:00
amazon
amazon
Critical: openssl
2014-04-07 17:26:00
suse
suse
Security update for Java (important)
2013-02-22 20:04:33
java-1_6_0-openjdk: update to icedtea 1.12.3 (important)
2013-03-01 18:04:30
centos
centos
java security update
2013-02-20 20:11:32
java security update
2013-02-20 20:33:43
freebsd
freebsd
FreeBSD -- OpenSSL multiple vulnerabilities
2013-04-02 00:00:00
redhat
redhat
(RHSA-2013:0783) Moderate: openssl security update
2013-05-01 17:58:17
aix
aix
AIX OpenSSH Vulnerability
2013-04-08 15:19:58
Multiple OpenSSL vulnerabilities
2013-03-15 03:20:11
freebsd_advisory
freebsd_advisory
FreeBSD-SA-13:03.openssl
2013-04-02 00:00:00
alpinelinux
alpinelinux
CVE-2016-2107
2016-05-05 01:59:03
CVE-2018-0497
2018-07-28 17:29:00
ubuntu
ubuntu
OpenSSL regression
2013-02-28 00:00:00
OpenSSL vulnerability
2013-03-25 00:00:00
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.007 Low
EPSS
Percentile
80.3%
Related for DEBIAN_DSA-2622.NASL