Main
Vulnerability Database
Exploits
ID:378 - Exploit for Vaudenay timing attack in OpenSSL - CVE-2003-0078
ID:378 - Exploit for Vaudenay timing attack in OpenSSL - CVE-2003-0078
Published: March 18, 2020
Vulnerability identifier: #VU258
Vulnerability risk: Medium
CVE-ID: CVE-2003-0078
CWE-ID: CWE-200
Exploitation vector: Remote access
Vulnerable software:
OpenSSL
OpenSSL
Link to public exploit:
Vulnerability description
The vulnerability allows a remote attacker to cause an information leak.
The vulnerability exists due to ssl3_get_record in s3_pkt.c does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy). A remote unauthenticated attacker can launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack".
Successful exploitation of this vulnerability may result in disclosure of system information.
The vulnerability exists due to ssl3_get_record in s3_pkt.c does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy). A remote unauthenticated attacker can launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack".
Successful exploitation of this vulnerability may result in disclosure of system information.
Remediation
Upgrade your version to OpenSSL 0.9.7a, OpenSSL 0.9.6i.