CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
30.7%
tlslite-ng version 0.7.3 and earlier, since commit
d7b288316bca7bcdd082e6ccff5491e241305233 contains a CWE-354: Improper
Validation of Integrity Check Value vulnerability in TLS implementation,
tlslite/utils/constanttime.py: ct_check_cbc_mac_and_pad(); line “end_pos =
data_len - 1 - mac.digest_size” that can result in an attacker manipulating
the TLS ciphertext which will not be detected by receiving tlslite-ng. This
attack appears to be exploitable via man in the middle on a network
connection. This vulnerability appears to have been fixed after commit
3674815d1b0f7484454995e2737a352e0a6a93d8.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 16.04 | noarch | tlslite-ng | < any | UNKNOWN |
github.com/tomato42/tlslite-ng/pull/234
github.com/tomato42/tlslite-ng/pull/234/commits/3674815d1b0f7484454995e2737a352e0a6a93d8 (v0.8.0-alpha3)
github.com/tomato42/tlslite-ng/pull/235
github.com/tomato42/tlslite-ng/pull/235/commits/e5e9145558f4c1a81071c61c947aa55a52542585 (backport for tslite-ng-0.7)
launchpad.net/bugs/cve/CVE-2018-1000159
nvd.nist.gov/vuln/detail/CVE-2018-1000159
security-tracker.debian.org/tracker/CVE-2018-1000159
www.cve.org/CVERecord?id=CVE-2018-1000159
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
30.7%