715 matches found
MGASA-2018-0435 Updated gnutls packages fix security vulnerabilities
The updated packages fix security vulnerabilities: It was found that the GnuTLS implementation of HMAC-SHA-256 and HMAC-SHA-384 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical...
Vulnerability in OpenSSL - Microarchitecture timing vulnerability in ECC scalar multiplication
OpenSSL ECC scalar multiplication, used in e.g. ECDSA and ECDH, has been shown to be vulnerable to a microarchitecture timing side channel attack. An attacker with sufficient access to mount local timing attacks during ECDSA signature generation could recover the private key. Found by Alejandro...
gnutls: HMAC-SHA-256 vulnerable to Lucky thirteen attack due to not enough dummy function calls
It was found that GnuTLS's implementation of HMAC-SHA-256 was vulnerable to Lucky Thirteen-style attack. A remote attacker could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets...
gnutls: HMAC-SHA-384 vulnerable to Lucky thirteen attack due to use of wrong constant
It was found that GnuTLS's implementation of HMAC-SHA-384 was vulnerable to a Lucky Thirteen-style attack. A remote attacker could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets...
CVE-2018-11846
The CVE-2018-11846 entry affects Snapdragon Mobile: SD 210/SD 212/SD 205, SD 845, and SD 850. The root cause is a non-time-constant memory comparison operation that can create timing/side-channel attacks. Exploitation details are not provided in the documents; there is no public exploit informati...
keycloak-core vulnerable to timing attacks against JWS token verification
Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks...
GHSA-W6GV-3R3V-GWGJ keycloak-core vulnerable to timing attacks against JWS token verification
Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in non-constant time, potentially leaving the application vulnerable to timing attacks...
RHEL 7 : Red Hat Single Sign-On 7.1 update on RHEL 7 (Moderate) (RHSA-2017:0873)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2017:0873 advisory. Red Hat Single Sign-On is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-o...
Timing Attack Through Insecure Password Comparison
hapi is vulnerable to timing attacks through constant time password comparison. The vulnerability exists due to the usage of !== to compare two password strings, allowing timing attacks to occur...
Timing Attacks
Stripe.net is vulnerable to timing attacks. The vulnerability exists due to the usage of non-constant time comparison methods, which causes information to be revealed through different time taken when comparing signatures...
DEBIAN-CVE-2018-10844
It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets...
Mozilla Firefox ESR < 60.1 Multiple Vulnerabilities
Binary data 700341.prm...
CPU Side-Channel Information Disclosure Vulnerabilities: August 2018
5On August 14th, 2018, three vulnerabilities were disclosed by Intel and security researchers that leverage a speculative execution side-channel method referred to as L1 Terminal Fault L1TF that affects modern Intel microprocessors. These vulnerabilities could allow an unprivileged, local attacke...
PT-2018-3450 · Gnu +5 · Gnutls +5
Name of the Vulnerable Software and Affected Versions: GnuTLS affected versions not specified Description: The issue is related to the GnuTLS implementation of HMAC-SHA-256, which is vulnerable to a Lucky thirteen style attack. Remote attackers could exploit this flaw to conduct distinguishing...
Mozilla Thunderbird Security Advisories (MFSA2018-19, MFSA2018-19) - Windows
Mozilla Thunderbird is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mozilla:thunderbird";...
Mozilla Thunderbird Security Advisories (MFSA2018-19, MFSA2018-19) - Mac OS X
Mozilla Thunderbird is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:mozilla:thunderbird";...
OpenBSD Disables Intel Hyper-Threading to Prevent Spectre-Class Attacks
Security-oriented BSD operating system OpenBSD has decided to disable support for Intel's hyper-threading performance-boosting feature, citing security concerns over Spectre-style timing attacks. Introduced in 2002, Hyper-threading is Intel's implementation of Simultaneous Multi-Threading SMT tha...
OpenBSD Disables Intel Hyper-Threading to Prevent Spectre-Class Attacks
Security-oriented BSD operating system OpenBSD has decided to disable support for Intel's hyper-threading performance-boosting feature, citing security concerns over Spectre-style timing attacks. Introduced in 2002, Hyper-threading is Intel's implementation of Simultaneous Multi-Threading SMT tha...
Security Bulletin: Multiple vulnerabilities in ntp affect PowerKVM
Summary PowerKVM is affected by several vulnerabilities in the Network Time Protocol. These vulnerabilities are now fixed. Vulnerability Details CVEID: CVE-2015-5300 DESCRIPTION: Network Time Protocol NTP could allow a remote attacker to bypass security restrictions, caused by the failure to...
Security Bulletin: IBM Tivoli Network Manager IP Edition is affected by an Apache CXF vulnerability (CVE-2017-3156)
Summary Vulnerability has been addressed in the Apache CXF component of Tivoli Network Manager IP Edition. Vulnerability Details CVEID: CVE-2017-3156 DESCRIPTION: Apache CXF could provide weaker than expected security, caused by the failure to use the OAuth2 Hawk and JOSE MAC Validation code. A...