CVE-2013-2566
Published: 15 March 2013
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Notes
| Author | Note |
|---|---|
| jdstrand | this is a protocol problem not specific to openssl. Using openssl as a placeholder until more information is available marking low for now until more information is available. At present, naive attacks need tens to hundreds of millions of TLS connections. Optimized attacks are not present yet. marking deferred since there is no consensus on what to do (we can't just disable RC4) |
| mdeslaur | marking as ignored since there is no actionable item |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
firefox Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
| precise |
Released
(25.0.1+build1-0ubuntu0.12.04.1)
|
|
| quantal |
Released
(25.0.1+build1-0ubuntu0.12.10.1)
|
|
| raring |
Released
(25.0.1+build1-0ubuntu0.13.04.1)
|
|
| saucy |
Released
(25.0.1+build1-0ubuntu0.13.10.1)
|
|
| upstream |
Released
(25.0.1)
|
|
|
openssl Launchpad, Ubuntu, Debian |
hardy |
Ignored
|
| lucid |
Ignored
|
|
| oneiric |
Ignored
|
|
| precise |
Ignored
|
|
| quantal |
Ignored
|
|
| raring |
Ignored
|
|
| saucy |
Ignored
|
|
| upstream |
Needs triage
|
|
|
thunderbird Launchpad, Ubuntu, Debian |
lucid |
Ignored
(end of life)
|
| precise |
Released
(1:24.1.1+build1-0ubuntu0.12.04.1)
|
|
| quantal |
Released
(1:24.1.1+build1-0ubuntu0.12.10.1)
|
|
| raring |
Released
(1:24.1.1+build1-0ubuntu0.13.04.1)
|
|
| saucy |
Released
(1:24.1.1+build1-0ubuntu0.13.10.1)
|
|
| upstream |
Released
(24.1.1)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.9 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- http://www.isg.rhul.ac.uk/tls/
- http://cr.yp.to/talks/2013.03.12/slides.pdf
- http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
- http://www.mozilla.org/security/announce/2013/mfsa2013-103.html
- https://ubuntu.com/security/notices/USN-2032-1
- https://ubuntu.com/security/notices/USN-2031-1
- https://www.cve.org/CVERecord?id=CVE-2013-2566
- NVD
- Launchpad
- Debian