3242 matches found
bouncycastle: TLS CBC padding timing attack
It was discovered that bouncycastle leaked timing information when decrypting TLS/SSL protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL server as a padding oracle...
Not found the rear door: open source encryption software TrueCrypt security audit-vulnerability warning-the black bar safety net
TrueCrypt is a popular open source file encryption software, which the user includes a large number of“sensitive persons”, such as businessmen, politicians, journalists, and therefore its safety has been well received by the attention. 2 0 1 4 年 5 months, the open source encryption software...
UBUNTU-CVE-2015-0837
The mpipowm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."...
cryptopp -- multiple vulnerabilities
Multiple sources report: CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack...
OracleVM 2.2 : openssl (OVMSA-2014-0007)
The remote OracleVM system is missing necessary patches to address critical security updates : - fix for CVE-2014-0224 - SSL/TLS MITM vulnerability - replace expired GlobalSign Root CA certificate in ca-bundle.crt - fix for CVE-2013-0169 - SSL/TLS CBC timing attack 907589 - fix for CVE-2013-0166 ...
OracleVM 3.2 : onpenssl (OVMSA-2014-0008)
The remote OracleVM system is missing necessary patches to address critical security updates : - fix for CVE-2014-0224 - SSL/TLS MITM vulnerability - replace expired GlobalSign Root CA certificate in ca-bundle.crt - fix for CVE-2013-0169 - SSL/TLS CBC timing attack 907589 - fix for CVE-2013-0166 ...
IE GC information leakage the vulnerability of the gossip-vulnerability warning-the black bar safety net
This vulnerability is several months earlier dion cow release, also recently got a pwnie award of the prize, the original speaking of the flash, ff, etc. of the GC engine are the use of conserved marker removal algorithm and are not tag data or pointer, so the presence of this problem, dion cattl...
mysql: Remote Preauth User Enumeration flaw
Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames...
mysql: Remote Preauth User Enumeration flaw
Oracle MySQL 5.5.38 and earlier, 5.6.19 and earlier, and MariaDB 5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates different error messages with different time delays depending on whether a user name exists, which allows remote attackers to enumerate valid usernames...
SSH Username Enumeration
This module uses a malformed packet or timing attack to enumerate users on an OpenSSH server. The default action sends a malformed corrupted SSHMSGUSERAUTHREQUEST packet using public key authentication must be enabled to enumerate users. On some versions of OpenSSH under some configurations,...
CVE-2014-8315
polestarxml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 replies with different timing depending on if a connection can be made, which allows remote attackers to conduct port scanning attacks via a host name and port in the cms parameter...
joola.io: Timing Attack Side-Channel on API Token Verification
https://github.com/joola/joola/blob/develop/lib/dispatch/users.jsL514 Because tokens are compared with the === operator, this may be susceptible to timing attacks. More info: http://codahale.com/a-lesson-in-timing-attacks/ This is probably not the lowest hanging fruit for an attacker, but it's...
F5 Networks BIG-IP : SSL acceleration card timing vulnerability (K15500)
SSL virtual servers in F5 BIG-IP systems 10.x before 10.2.4 HF9, 11.x before 11.2.1 HF12, 11.3.0 before HF10, 11.4.0 before HF8, 11.4.1 before HF5, 11.5.0 before HF5, and 11.5.1 before HF5, when used with third-party Secure Sockets Layer SSL accelerator cards, might allow remote attackers to have...
PYSEC-2014-49
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation...
PYSEC-2014-75
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation...
Unmasking Google Users With a New Timing Attack
Researcher has discovered a new Timing attack that could unmask Google users under some special conditions. Andrew Cantino, the vice president of engineering at Mavenlink, detailed his attack in a blogpost st week. According to him, the attack could be used by an attacker to target a particular...
New Timing Attack Could De-Anonymize Google Users
A new timing attack has been disclosed that could de-anonymize Google users under particular conditions. Google acknowledged the issue to researcher Andrew Cantino, the vice president of engineering at Mavenlink, but told him it would not address the issue because the risk is low. “I agree that...
Ubuntu: Security Advisory (USN-2325-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Ubuntu 14.04 LTS : OpenStack Nova vulnerability (USN-2325-1)
The remote Ubuntu 14.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-2325-1 advisory. Alex Gaynor discovered that OpenStack Nova would sometimes respond with variable times when comparing authentication tokens. If nova were configured to proxy...
openstack-nova: timing attack issue allows access to other instances' configuration information
A side-channel timing attack flaw was found in Nova. An attacker could possibly use this flaw to guess valid instance ID signatures, giving them access to details of another instance, by analyzing the response times of requests for instance metadata. This issue only affected configurations that...