CVE-2013-2566: Weak Encryption
First published: Thu Mar 14 2013(Updated: )
A new attack was discovered against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical flaws in the keystream generated by the RC4 algorithm which become apparent in TLS ciphertexts when the same plaintext is repeatedly encrypted at a fixed location across many TLS sessions. Reference: <a href="http://www.isg.rhul.ac.uk/tls/">http://www.isg.rhul.ac.uk/tls/</a> <a href="http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html">http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle Communications Application Session Controller | >=3.0.0<=3.9.1 | |
| Oracle HTTP Server | =11.1.1.7.0 | |
| Oracle HTTP Server | =11.1.1.9.0 | |
| Oracle HTTP Server | =12.1.3.0.0 | |
| Oracle HTTP Server | =12.2.1.1.0 | |
| Oracle HTTP Server | =12.2.1.2.0 | |
| Oracle Integrated Lights Out Manager Firmware | >=3.0.0<=3.2.11 | |
| Oracle Integrated Lights Out Manager Firmware | >=4.0.0<=4.0.4 | |
| Fujitsu SPARC Enterprise M3000 Firmware | >=xcp<xcp_1121 | |
| Oracle SPARC Enterprise m3000 Server | ||
| Fujitsu SPARC Enterprise M4000 Firmware | >=xcp<xcp_1121 | |
| Fujitsu SPARC Enterprise M4000 Firmware | ||
| Fujitsu SPARC Enterprise M5000 Firmware | >=xcp<xcp_1121 | |
| Oracle SPARC Enterprise m5000 Server | ||
| Fujitsu SPARC Enterprise M8000 Firmware | >=xcp<xcp_1121 | |
| Fujitsu SPARC Enterprise M8000 Firmware | ||
| Fujitsu SPARC Enterprise M9000 Firmware | >=xcp<xcp_1121 | |
| Fujitsu SPARC Enterprise M9000 Firmware | ||
| Oracle Fujitsu M10-1 Firmware | >=xcp<xcp2280 | |
| Oracle Fujitsu M10-1 | ||
| Oracle Fujitsu M10-4 Firmware | >=xcp<xcp2280 | |
| Oracle Fujitsu M10-4 | ||
| fujitsu m10-4s firmware | >=xcp<xcp2280 | |
| fujitsu m10-4s | ||
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =12.10 | |
| Ubuntu Linux | =13.04 | |
| Ubuntu Linux | =13.10 | |
| Mozilla Firefox | <25.0.1 | |
| Mozilla Firefox ESR | <17.0.11 | |
| Mozilla Firefox ESR | >=24.1.0<24.1.1 | |
| Mozilla SeaMonkey | <2.22.1 | |
| Mozilla Thunderbird | <24.1.1 | |
| Mozilla Thunderbird ESR | <17.0.11 | |
| All of | ||
| Fujitsu SPARC Enterprise M3000 Firmware | >=xcp<xcp_1121 | |
| Oracle SPARC Enterprise m3000 Server | ||
| All of | ||
| Fujitsu SPARC Enterprise M4000 Firmware | >=xcp<xcp_1121 | |
| Fujitsu SPARC Enterprise M4000 Firmware | ||
| All of | ||
| Fujitsu SPARC Enterprise M5000 Firmware | >=xcp<xcp_1121 | |
| Oracle SPARC Enterprise m5000 Server | ||
| All of | ||
| Fujitsu SPARC Enterprise M8000 Firmware | >=xcp<xcp_1121 | |
| Fujitsu SPARC Enterprise M8000 Firmware | ||
| All of | ||
| Fujitsu SPARC Enterprise M9000 Firmware | >=xcp<xcp_1121 | |
| Fujitsu SPARC Enterprise M9000 Firmware | ||
| All of | ||
| Oracle Fujitsu M10-1 Firmware | >=xcp<xcp2280 | |
| Oracle Fujitsu M10-1 | ||
| All of | ||
| Oracle Fujitsu M10-4 Firmware | >=xcp<xcp2280 | |
| Oracle Fujitsu M10-4 | ||
| All of | ||
| fujitsu m10-4s firmware | >=xcp<xcp2280 | |
| fujitsu m10-4s | ||
| Ubuntu | =12.04 | |
| Ubuntu | =12.10 | |
| Ubuntu | =13.04 | |
| Ubuntu | =13.10 | |
| Mozilla Firefox | <17.0.11 | |
| Mozilla Firefox | >=24.1.0<24.1.1 | |
| GE Web Server | ||
| GE Access | ||
| GE Access | ||
| GE Access | ||
| GE Access | ||
| GE UR bootloader binary |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2013-2566 https://nvd.nist.gov/vuln/detail/CVE-2013-2566
- https://bugzilla.redhat.com/show_bug.cgi?id=921947
- https://access.redhat.com/security/cve/CVE-2013-2566
- http://www.isg.rhul.ac.uk/tls/
- http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html
- http://cr.yp.to/talks/2013.03.12/slides.pdf
- http://nakedsecurity.sophos.com/2013/03/16/has-https-finally-been-cracked/
- http://www.theregister.co.uk/2013/03/15/tls_broken/
- http://www.isg.rhul.ac.uk/tls/RC4biases.pdf
- http://www.isg.rhul.ac.uk/tls/#Patches
- https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what
- http://www.mozilla.org/security/announce/2013/mfsa2013-103.html
- https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.3_release_notes
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=921947#c6
- https://hg.mozilla.org/projects/nss/rev/9f313e08bd43
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=921947#c3
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=921947#c7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=921947#c8
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://marc.info/?l=bugtraq&m=143039468003789&w=2
- http://my.opera.com/securitygroup/blog/2013/03/20/on-the-precariousness-of-rc4
- http://security.gentoo.org/glsa/glsa-201406-19.xml
- http://www.opera.com/docs/changelogs/unified/1215/
- http://www.opera.com/security/advisory/1046
- http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.securityfocus.com/bid/58796
- http://www.ubuntu.com/usn/USN-2031-1
- http://www.ubuntu.com/usn/USN-2032-1
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888
- https://security.gentoo.org/glsa/201504-01
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-075-02 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2013-2566?
CVE-2013-2566 is categorized as a medium severity vulnerability due to its potential to leak limited plaintext data from TLS connections using RC4 encryption.
How do I fix CVE-2013-2566?
To fix CVE-2013-2566, disable RC4 encryption in your TLS configuration and switch to a stronger cipher.
Which software is affected by CVE-2013-2566?
CVE-2013-2566 affects various software including GE firmware versions 7.4x to 8.0x and multiple versions of Oracle HTTP Server.
Can CVE-2013-2566 be exploited remotely?
Yes, CVE-2013-2566 can be exploited remotely if an attacker can intercept and manipulate the TLS traffic.
What encryption algorithm does CVE-2013-2566 target?
CVE-2013-2566 specifically targets the RC4 encryption algorithm used in TLS connections.
- collector/redhat-cve
- collector/redhat-bugzilla
- alias/CVE-2013-2566
- agent/type
- agent/weakness
- agent/description
- agent/references
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/first-publish-date
- agent/author
- agent/last-modified-date
- agent/trending
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/tags
- collector/ics-cert-advisory
- source/ICS
- vendor/oracle
- canonical/oracle communications application session controller
- version/oracle communications application session controller/3.0.0
- version/oracle communications application session controller/3.9.1
- canonical/oracle http server
- version/oracle http server/11.1.1.7.0
- version/oracle http server/11.1.1.9.0
- version/oracle http server/12.1.3.0.0
- version/oracle http server/12.2.1.1.0
- version/oracle http server/12.2.1.2.0
- canonical/oracle integrated lights out manager firmware
- version/oracle integrated lights out manager firmware/3.0.0
- version/oracle integrated lights out manager firmware/3.2.11
- version/oracle integrated lights out manager firmware/4.0.0
- version/oracle integrated lights out manager firmware/4.0.4
- vendor/fujitsu
- canonical/fujitsu sparc enterprise m3000 firmware
- version/fujitsu sparc enterprise m3000 firmware/xcp
- canonical/oracle sparc enterprise m3000 server
- canonical/fujitsu sparc enterprise m4000 firmware
- version/fujitsu sparc enterprise m4000 firmware/xcp
- canonical/fujitsu sparc enterprise m5000 firmware
- version/fujitsu sparc enterprise m5000 firmware/xcp
- canonical/oracle sparc enterprise m5000 server
- canonical/fujitsu sparc enterprise m8000 firmware
- version/fujitsu sparc enterprise m8000 firmware/xcp
- canonical/fujitsu sparc enterprise m9000 firmware
- version/fujitsu sparc enterprise m9000 firmware/xcp
- canonical/oracle fujitsu m10-1 firmware
- version/oracle fujitsu m10-1 firmware/xcp
- canonical/oracle fujitsu m10-1
- canonical/oracle fujitsu m10-4 firmware
- version/oracle fujitsu m10-4 firmware/xcp
- canonical/oracle fujitsu m10-4
- canonical/fujitsu m10-4s firmware
- version/fujitsu m10-4s firmware/xcp
- canonical/fujitsu m10-4s
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/12.10
- version/ubuntu linux/13.04
- version/ubuntu linux/13.10
- vendor/mozilla
- canonical/mozilla firefox
- canonical/mozilla firefox esr
- version/mozilla firefox esr/24.1.0
- canonical/mozilla seamonkey
- canonical/mozilla thunderbird
- canonical/mozilla thunderbird esr
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/12.10
- version/ubuntu/13.04
- version/ubuntu/13.10
- version/mozilla firefox/24.1.0
- vendor/ge
- canonical/ge web server
- canonical/ge access
- canonical/ge ur bootloader binary