FKIE_CVE-2013-1624

Vulnerability from fkie_nvd - Published: 2013-02-08 19:55 - Updated: 2025-05-12 17:37
Severity ?
Summary
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
References
cve@mitre.orghttp://openwall.com/lists/oss-security/2013/02/05/24
cve@mitre.orghttp://rhn.redhat.com/errata/RHSA-2014-0371.html
cve@mitre.orghttp://rhn.redhat.com/errata/RHSA-2014-0372.html
cve@mitre.orghttp://secunia.com/advisories/57716
cve@mitre.orghttp://secunia.com/advisories/57719
cve@mitre.orghttp://www.isg.rhul.ac.uk/tls/TLStiming.pdf
af854a3a-2127-422b-91ae-364da2661108http://openwall.com/lists/oss-security/2013/02/05/24
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2014-0371.html
af854a3a-2127-422b-91ae-364da2661108http://rhn.redhat.com/errata/RHSA-2014-0372.html
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/57716
af854a3a-2127-422b-91ae-364da2661108http://secunia.com/advisories/57719
af854a3a-2127-422b-91ae-364da2661108http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
Impacted products
Vendor Product Version
bouncycastle bc-java 1.01
bouncycastle bc-java 1.02
bouncycastle bc-java 1.03
bouncycastle bc-java 1.04
bouncycastle bc-java 1.05
bouncycastle bc-java 1.06
bouncycastle bc-java 1.07
bouncycastle bc-java 1.08
bouncycastle bc-java 1.09
bouncycastle bc-java 1.10
bouncycastle bc-java 1.11
bouncycastle bc-java 1.12
bouncycastle bc-java 1.13
bouncycastle bc-java 1.14
bouncycastle bc-java 1.15
bouncycastle bc-java 1.16
bouncycastle bc-java 1.17
bouncycastle bc-java 1.18
bouncycastle bc-java 1.19
bouncycastle bc-java 1.20
bouncycastle bc-java 1.21
bouncycastle bc-java 1.22
bouncycastle bc-java 1.23
bouncycastle bc-java 1.24
bouncycastle bc-java 1.25
bouncycastle bc-java 1.26
bouncycastle bc-java 1.27
bouncycastle bc-java 1.28
bouncycastle bc-java 1.29
bouncycastle bc-java 1.30
bouncycastle bc-java 1.31
bouncycastle bc-java 1.32
bouncycastle bc-java 1.33
bouncycastle bc-java 1.34
bouncycastle bc-java 1.35
bouncycastle bc-java 1.36
bouncycastle bc-java 1.37
bouncycastle bc-java 1.38
bouncycastle bc-java 1.39
bouncycastle bc-java 1.40
bouncycastle bc-java 1.41
bouncycastle bc-java 1.42
bouncycastle bc-java 1.43
bouncycastle bc-java 1.44
bouncycastle bc-java 1.45
bouncycastle bc-java 1.46
bouncycastle bc-java 1.47
bouncycastle legion-of-the-bouncy-castle-c\#-cryptography-api 0.0
bouncycastle legion-of-the-bouncy-castle-c\#-cryptography-api 1.0
bouncycastle legion-of-the-bouncy-castle-c\#-cryptography-api 1.1
bouncycastle legion-of-the-bouncy-castle-c\#-cryptography-api 1.2
bouncycastle legion-of-the-bouncy-castle-c\#-cryptography-api 1.3
bouncycastle legion-of-the-bouncy-castle-c\#-cryptography-api 1.4
bouncycastle legion-of-the-bouncy-castle-c\#-cryptography-api 1.5
bouncycastle legion-of-the-bouncy-castle-c\#-cryptography-api 1.6.1
bouncycastle legion-of-the-bouncy-castle-c\#-cryptography-api 1.7
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.01:*:*:*:*:*:*:*",
              "matchCriteriaId": "074B7733-B554-4C60-8B6C-711082FBC981",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.02:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B065EFF-5CBE-4B4E-B5ED-C97ACC17F913",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.03:*:*:*:*:*:*:*",
              "matchCriteriaId": "74053B79-26E8-4E5C-8BAA-623B6F8C2406",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.04:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A673F86-9038-4DDC-BC42-CDAA82E31D18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.05:*:*:*:*:*:*:*",
              "matchCriteriaId": "27BA92FF-CCD7-43A7-880B-63F749BE134A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.06:*:*:*:*:*:*:*",
              "matchCriteriaId": "A587B9F5-BA5F-4470-84A7-551C15143F80",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.07:*:*:*:*:*:*:*",
              "matchCriteriaId": "CF1C6753-A077-4BC1-96D6-42408D576371",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.08:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9F1242D-E49C-49E8-B011-ACCD096BB62F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.09:*:*:*:*:*:*:*",
              "matchCriteriaId": "CB5B1AD3-F98A-4608-92E3-03D595DC24F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "A3B73EA3-7055-47F4-927B-DAE9CCC0790B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "754ACBCB-BF5C-49C2-8608-DF0B60F75C19",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "6654B10A-5D16-4D13-A329-512A1D8100D5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "33A9B4AA-4EBF-49A9-8081-68AE10D3B36D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "E57C145D-44AD-4D3D-AC95-A02F4343E9F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "581016A0-9C71-4C69-BA07-DED9E58B9D20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "D7E76D59-7A74-44A9-9E34-F2573C7BD023",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "F375FFAD-88A2-4DCE-A609-2965692483CE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "5C001773-96B8-4CC9-9841-EBAFD4724FBA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "2EAAD240-17C9-4804-9BDE-F13B94EC6580",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF897C5D-1751-4FCE-8814-51FBECB7143B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.21:*:*:*:*:*:*:*",
              "matchCriteriaId": "DBEF5C40-189C-4CA3-AC7E-7B06040AE984",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.22:*:*:*:*:*:*:*",
              "matchCriteriaId": "C232FE64-92E6-4090-BA28-53A6EC1794EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.23:*:*:*:*:*:*:*",
              "matchCriteriaId": "3BC9CEB4-0708-4BF2-B126-94ADC1F83870",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.24:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C7FB2D4-C9FA-4B4D-9DA5-EF7262F00E44",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.25:*:*:*:*:*:*:*",
              "matchCriteriaId": "3B7DDC74-EAB2-4159-B234-6A282155D137",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.26:*:*:*:*:*:*:*",
              "matchCriteriaId": "E9BA1059-992E-4C20-A7CE-7113BA768663",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.27:*:*:*:*:*:*:*",
              "matchCriteriaId": "27E1FB43-1D6B-48B0-ADA1-CCE1BFF03E87",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.28:*:*:*:*:*:*:*",
              "matchCriteriaId": "989146A9-B308-4097-9E01-E6DE1DD7FCCE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.29:*:*:*:*:*:*:*",
              "matchCriteriaId": "59B24C7F-ABC5-43EC-86A0-5E1985522FCC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.30:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C8010C1-C565-4743-9D15-40040FB43B63",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.31:*:*:*:*:*:*:*",
              "matchCriteriaId": "232A9D64-5D09-4C97-A40C-AC7BCBFAC656",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.32:*:*:*:*:*:*:*",
              "matchCriteriaId": "1DCFFFEC-C0FA-43F9-8D51-281D2687A112",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.33:*:*:*:*:*:*:*",
              "matchCriteriaId": "19E0BE43-463C-4181-B391-BF4365B85B96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.34:*:*:*:*:*:*:*",
              "matchCriteriaId": "DAA2A9CD-697A-448B-BC5B-1B5C62EAC8F7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.35:*:*:*:*:*:*:*",
              "matchCriteriaId": "557535DF-E017-4B5D-BF31-108842792600",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.36:*:*:*:*:*:*:*",
              "matchCriteriaId": "AF066A80-84B8-40FF-9A48-D72D5475DEEA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.37:*:*:*:*:*:*:*",
              "matchCriteriaId": "CD3C1714-F2BB-48E9-A853-FF72CDEB7571",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.38:*:*:*:*:*:*:*",
              "matchCriteriaId": "AC6601B4-BC40-405C-A356-73B5D95FC1FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.39:*:*:*:*:*:*:*",
              "matchCriteriaId": "87A2ED6F-4C17-4B4A-AE63-5B390D226A41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.40:*:*:*:*:*:*:*",
              "matchCriteriaId": "00F70566-2BC4-48B4-B742-D0D229023101",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.41:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5D129B6-8749-4E84-9E5D-9FE86482A270",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.42:*:*:*:*:*:*:*",
              "matchCriteriaId": "D9344203-15ED-465D-AF07-2BFF14532264",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.43:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA414847-2C01-4267-BFAC-1C54C9352BB1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.44:*:*:*:*:*:*:*",
              "matchCriteriaId": "6A9D93C8-E5F8-48FC-AF3D-045A4EB36F8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.45:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8D14A27-9C4A-44D0-8687-BCAEB3013FDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.46:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B00CB74-167A-4BCB-81E5-C9B47285007D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:bc-java:1.47:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CAB6B3F-53F8-4F5E-A34C-C67EE9914EA1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "35AF4B58-7361-4D12-AADA-072A60AB0104",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "3BFAF5C1-7823-436C-9CA3-056F0A9D51A5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "40259337-03AB-410A-82B7-AFEB4E0C1AD1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "CA51EA08-2375-4F1B-8C89-ED18B2C9E683",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD8F22E0-D7C8-4ADA-9312-18F07CEF4ED4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65F5FE67-E52C-4301-A840-F91A1F5B87B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "E0BB97D9-EADD-47DB-9ABA-A92B43C2A522",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.6.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "27F9BDF0-E59A-4FD9-B868-BF7342B98B8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-c\\#-cryptography-api:1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "8FF3240B-548F-45A4-BCC8-4E0534619375",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169."
    },
    {
      "lang": "es",
      "value": "La implementaci\u00f3n de TLS en la biblioteca Java de Bouncy Castle antes v1.48 y biblioteca C# antes de v1.8 no tiene debidamente en cuenta los ataques de tiempo al canal lateral en la operaci\u00f3n de comprobaci\u00f3n de incumplimiento MAC durante el proceso de relleno del CBC malformado, lo que permite a atacantes remotos  realizar ataques distintivos y de texto plano, ataques de recuperaci\u00f3n a trav\u00e9s de an\u00e1lisis estad\u00edsticode tiempo de los paquetes hechos a mano, una cuesti\u00f3n relacionada con CVE-2013-0169."
    }
  ],
  "id": "CVE-2013-1624",
  "lastModified": "2025-05-12T17:37:16.527",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 4.9,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-02-08T19:55:01.437",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://openwall.com/lists/oss-security/2013/02/05/24"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0371.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0372.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/57716"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://secunia.com/advisories/57719"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://openwall.com/lists/oss-security/2013/02/05/24"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0371.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0372.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/57716"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/57719"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.isg.rhul.ac.uk/tls/TLStiming.pdf"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-310"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.