CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
77.3%
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many
single-byte biases, which makes it easier for remote attackers to conduct
plaintext-recovery attacks via statistical analysis of ciphertext in a
large number of sessions that use the same plaintext.
Author | Note |
---|---|
jdstrand | this is a protocol problem not specific to openssl. Using openssl as a placeholder until more information is available marking low for now until more information is available. At present, naive attacks need tens to hundreds of millions of TLS connections. Optimized attacks are not present yet. marking deferred since there is no consensus on what to do (we can’t just disable RC4) |
mdeslaur | marking as ignored since there is no actionable item |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 12.04 | noarch | firefox | < 25.0.1+build1-0ubuntu0.12.04.1 | UNKNOWN |
ubuntu | 12.10 | noarch | firefox | < 25.0.1+build1-0ubuntu0.12.10.1 | UNKNOWN |
ubuntu | 13.04 | noarch | firefox | < 25.0.1+build1-0ubuntu0.13.04.1 | UNKNOWN |
ubuntu | 13.10 | noarch | firefox | < 25.0.1+build1-0ubuntu0.13.10.1 | UNKNOWN |
ubuntu | 12.04 | noarch | thunderbird | < 1:24.1.1+build1-0ubuntu0.12.04.1 | UNKNOWN |
ubuntu | 12.10 | noarch | thunderbird | < 1:24.1.1+build1-0ubuntu0.12.10.1 | UNKNOWN |
ubuntu | 13.04 | noarch | thunderbird | < 1:24.1.1+build1-0ubuntu0.13.04.1 | UNKNOWN |
ubuntu | 13.10 | noarch | thunderbird | < 1:24.1.1+build1-0ubuntu0.13.10.1 | UNKNOWN |
blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
cr.yp.to/talks/2013.03.12/slides.pdf
www.isg.rhul.ac.uk/tls/
www.mozilla.org/security/announce/2013/mfsa2013-103.html
launchpad.net/bugs/cve/CVE-2013-2566
nvd.nist.gov/vuln/detail/CVE-2013-2566
security-tracker.debian.org/tracker/CVE-2013-2566
ubuntu.com/security/notices/USN-2031-1
ubuntu.com/security/notices/USN-2032-1
www.cve.org/CVERecord?id=CVE-2013-2566
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
77.3%