Main Vulnerability Database SB2015092506

SB2015092506 - Debian update for openssl

Published: September 25, 2015

Security Bulletin ID SB2015092506

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Vaudenay timing attack (CVE-ID: CVE-2003-0078)

The vulnerability allows a remote attacker to cause an information leak.

The vulnerability exists due to ssl3_get_record in s3_pkt.c does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy). A remote unauthenticated attacker can launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack".

Successful exploitation of this vulnerability may result in disclosure of system information.

Remediation

Install update from vendor's website.

References

https://www.openssl.org/news/vulnerabilities.html#y2002