Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2013-1624

The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Published

2013-02-08T19:55:01.437

Last Modified

2025-05-12T17:37:16.527

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 4.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

4.9

Impact Score

4.9

Weaknesses

Type: Primary
CWE-310

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	bouncycastle	bc-java	1.01	Yes
Application	bouncycastle	bc-java	1.02	Yes
Application	bouncycastle	bc-java	1.03	Yes
Application	bouncycastle	bc-java	1.04	Yes
Application	bouncycastle	bc-java	1.05	Yes
Application	bouncycastle	bc-java	1.06	Yes
Application	bouncycastle	bc-java	1.07	Yes
Application	bouncycastle	bc-java	1.08	Yes
Application	bouncycastle	bc-java	1.09	Yes
Application	bouncycastle	bc-java	1.10	Yes
Application	bouncycastle	bc-java	1.11	Yes
Application	bouncycastle	bc-java	1.12	Yes
Application	bouncycastle	bc-java	1.13	Yes
Application	bouncycastle	bc-java	1.14	Yes
Application	bouncycastle	bc-java	1.15	Yes
Application	bouncycastle	bc-java	1.16	Yes
Application	bouncycastle	bc-java	1.17	Yes
Application	bouncycastle	bc-java	1.18	Yes
Application	bouncycastle	bc-java	1.19	Yes
Application	bouncycastle	bc-java	1.20	Yes
Application	bouncycastle	bc-java	1.21	Yes
Application	bouncycastle	bc-java	1.22	Yes
Application	bouncycastle	bc-java	1.23	Yes
Application	bouncycastle	bc-java	1.24	Yes
Application	bouncycastle	bc-java	1.25	Yes
Application	bouncycastle	bc-java	1.26	Yes
Application	bouncycastle	bc-java	1.27	Yes
Application	bouncycastle	bc-java	1.28	Yes
Application	bouncycastle	bc-java	1.29	Yes
Application	bouncycastle	bc-java	1.30	Yes
Application	bouncycastle	bc-java	1.31	Yes
Application	bouncycastle	bc-java	1.32	Yes
Application	bouncycastle	bc-java	1.33	Yes
Application	bouncycastle	bc-java	1.34	Yes
Application	bouncycastle	bc-java	1.35	Yes
Application	bouncycastle	bc-java	1.36	Yes
Application	bouncycastle	bc-java	1.37	Yes
Application	bouncycastle	bc-java	1.38	Yes
Application	bouncycastle	bc-java	1.39	Yes
Application	bouncycastle	bc-java	1.40	Yes
Application	bouncycastle	bc-java	1.41	Yes
Application	bouncycastle	bc-java	1.42	Yes
Application	bouncycastle	bc-java	1.43	Yes
Application	bouncycastle	bc-java	1.44	Yes
Application	bouncycastle	bc-java	1.45	Yes
Application	bouncycastle	bc-java	1.46	Yes
Application	bouncycastle	bc-java	1.47	Yes
Application	bouncycastle	legion-of-the-bouncy-castle-c\#-cryptography-api	0.0	Yes
Application	bouncycastle	legion-of-the-bouncy-castle-c\#-cryptography-api	1.0	Yes
Application	bouncycastle	legion-of-the-bouncy-castle-c\#-cryptography-api	1.1	Yes
Application	bouncycastle	legion-of-the-bouncy-castle-c\#-cryptography-api	1.2	Yes
Application	bouncycastle	legion-of-the-bouncy-castle-c\#-cryptography-api	1.3	Yes
Application	bouncycastle	legion-of-the-bouncy-castle-c\#-cryptography-api	1.4	Yes
Application	bouncycastle	legion-of-the-bouncy-castle-c\#-cryptography-api	1.5	Yes
Application	bouncycastle	legion-of-the-bouncy-castle-c\#-cryptography-api	1.6.1	Yes
Application	bouncycastle	legion-of-the-bouncy-castle-c\#-cryptography-api	1.7	Yes

References

http://openwall.com/lists/oss-security/2013/02/05/24 ([email protected])
http://rhn.redhat.com/errata/RHSA-2014-0371.html ([email protected])
http://rhn.redhat.com/errata/RHSA-2014-0372.html ([email protected])
http://secunia.com/advisories/57716 ([email protected])
http://secunia.com/advisories/57719 ([email protected])
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf ([email protected])
http://openwall.com/lists/oss-security/2013/02/05/24 (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2014-0371.html (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2014-0372.html (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/57716 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/57719 (af854a3a-2127-422b-91ae-364da2661108)
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf (af854a3a-2127-422b-91ae-364da2661108)