CVE-2020-12413

2023-02-1600:00:00

ubuntu.com

raccoon attack

timing attack

dhe ciphersuites

tls specification

firefox

vulnerability mitigation

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

48.4%

JSON

The Raccoon attack is a timing attack on DHE ciphersuites inherit in the
TLS specification. To mitigate this vulnerability, Firefox disabled support
for DHE ciphersuites.

Notes

Author	Note
mdeslaur	nss doesn’t reuse DHE keys, but does reuse ECDHE keys, which is not problematic for the moment. See page 13 of https://raccoon-attack.com/RacoonAttack.pdf and the nss release notes for 3.17: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17_release_notes Since 3.17 includes a way to disable ECDHE key reuse with the SSL_REUSE_SERVER_ECDHE_KEY option, marking this CVE as fixed in fixed in 3.17.

Author

Note

mdeslaur

nss doesn’t reuse DHE keys, but does reuse ECDHE keys, which is not problematic for the moment. See page 13 of https://raccoon-attack.com/RacoonAttack.pdf and the nss release notes for 3.17: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.17_release_notes Since 3.17 includes a way to disable ECDHE key reuse with the SSL_REUSE_SERVER_ECDHE_KEY option, marking this CVE as fixed in fixed in 3.17.