CVE-2013-2061

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn_access_server:2.0.0:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*

History

21 Nov 2024, 01:50

Type Values Removed Values Added
References () http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105568.html - () http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105568.html -
References () http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html - () http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html -
References () http://lists.opensuse.org/opensuse-updates/2013-11/msg00012.html - Vendor Advisory () http://lists.opensuse.org/opensuse-updates/2013-11/msg00012.html - Vendor Advisory
References () http://lists.opensuse.org/opensuse-updates/2013-11/msg00016.html - () http://lists.opensuse.org/opensuse-updates/2013-11/msg00016.html -
References () http://www.mandriva.com/security/advisories?name=MDVSA-2013:167 - () http://www.mandriva.com/security/advisories?name=MDVSA-2013:167 -
References () http://www.openwall.com/lists/oss-security/2013/05/06/6 - () http://www.openwall.com/lists/oss-security/2013/05/06/6 -
References () https://bugs.gentoo.org/show_bug.cgi?id=468756 - () https://bugs.gentoo.org/show_bug.cgi?id=468756 -
References () https://bugzilla.redhat.com/show_bug.cgi?id=960192 - () https://bugzilla.redhat.com/show_bug.cgi?id=960192 -
References () https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc - () https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc -
References () https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee - Exploit, Patch () https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee - Exploit, Patch

Information

Published : 2013-11-18 02:55

Updated : 2024-11-21 01:50


NVD link : CVE-2013-2061

Mitre link : CVE-2013-2061

CVE.ORG link : CVE-2013-2061


JSON object : View

Products Affected

opensuse

  • opensuse

openvpn

  • openvpn
  • openvpn_access_server
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor