CVE-2016-7152
Published: 6 September 2016
The HTTPS protocol does not consider the role of the TCP congestion window in providing information about content length, which makes it easier for remote attackers to obtain cleartext data by leveraging a web-browser configuration in which third-party cookies are sent, aka a "HEIST" attack.
Notes
Author | Note |
---|---|
seth-arnold | NVD had this CVE assigned to multiple browers as of 2016-09-12. This CVE appears to cover a wide variety of browser side channels demonstrating the time difference between first byte and last byte in a response. This can be used both for compression-based determinations of exact strings from requests that are reflected in responses as well as uncompressed responses from sites that have disabled compression to mitigate BEAST or CRIME. The paper authors recommend users disable third-party cookies in their browsers, with the caveat that many services will break. |
mdeslaur | We have no actionable item to fix this CVE. Since we release new firefox, thunderbird and chromium upstream releases, I'm marking this as ignored. |
Priority
Status
Package | Release | Status |
---|---|---|
chromium-browser Launchpad, Ubuntu, Debian |
trusty |
Does not exist
(trusty was ignored)
|
upstream |
Needed
|
|
xenial |
Ignored
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
|
|
precise |
Ignored
|
|
firefox Launchpad, Ubuntu, Debian |
trusty |
Does not exist
(trusty was ignored)
|
upstream |
Needed
|
|
xenial |
Ignored
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
|
|
precise |
Ignored
(end of life)
|
|
oxide-qt Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
trusty |
Does not exist
(trusty was ignored)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
|
|
thunderbird Launchpad, Ubuntu, Debian |
trusty |
Does not exist
(trusty was ignored)
|
upstream |
Needs triage
|
|
xenial |
Ignored
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
|
|
precise |
Ignored
(end of life)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7152
- http://arstechnica.com/security/2016/08/new-attack-steals-ssns-e-mail-addresses-and-more-from-https-pages/
- https://tom.vg/papers/heist_blackhat2016.pdf
- https://www.blackhat.com/docs/us-16/materials/us-16-VanGoethem-HEIST-HTTP-Encrypted-Information-Can-Be-Stolen-Through-TCP-Windows-wp.pdf
- NVD
- Launchpad
- Debian