You are here

OpenSSL Security Advisory [05 Feb 2013]

IDs: 
CVE-2013-0169, CVE-2012-2686, CVE-2013-0166
Keywords: 
TLS, OpenSSL, Lucky Thirteen
Description: 

SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)

A weakness in the handling of certain ciphersuites in SSL, TLS and DTLS was discovered which could be used to recover plaintext from a TLS/DTLS connection. The attack exploits timing differences arising during decryption. Details of this attack can be found at http://www.isg.rhul.ac.uk/tls/ ("Lucky Thirteen")

Exploiting SSL/TLS timing vulnerabilities over the Internet is de facto impossible. Therefore no action is required.

TLS 1.1 and 1.2 AES-NI DoS (CVE-2012-2686)

A flaw in the OpenSSL handling of certain ciphersuites in TLS 1.1 and TLS 1.2 on AES-NI supporting platforms can be exploited in a denial of service attack.

Even if a CPU is in place which supports the AES New Instructions (AES-NI), this vulnerability does not significantly change the attack surface of Airlock regarding denial of service attacks. Therefore no action is required.

OCSP invalid key DoS issue (CVE-2013-0166)

A flaw in the OpenSSL handling of OCSP response verification can be exploited in a denial of service attack.

Airlock is not using OCSP response verification and is therefore not vulnerable.

Resolution: 

no action required

Component: 
Airlock
Airlock Vulnerability Status: 
No action required
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock