CVE-2013-2061

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:openvpn:openvpn:*:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.2.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.2.1:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.3.1:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.3.2:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.4.1:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.4.2:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.4.3:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:openvpn:openvpn_access_server:2.0.0:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*

History

No history.

Information

Published : 2013-11-18 02:55

Updated : 2024-02-28 12:00


NVD link : CVE-2013-2061

Mitre link : CVE-2013-2061

CVE.ORG link : CVE-2013-2061


JSON object : View

Products Affected

openvpn

  • openvpn
  • openvpn_access_server

opensuse

  • opensuse
CWE
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor