CVE-2013-2566
MEDIUM severity · CVSS 5.9 · CWE-326
5.9CVSS MEDIUM
Summary
The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks via statistical analysis of ciphertext in a large number of sessions that use the same plaintext.
Impact & exploitability
Attack vectorNetwork
Attack complexityHigh
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactNone
Availability impactNone
Exploit probability (EPSS)93%
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products we track (2)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.htmlAdvisory
- http://cr.yp.to/talks/2013.03.12/slides.pdfAdvisory
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705Advisory
- http://marc.info/?l=bugtraq&m=143039468003789&w=2Advisory
- http://my.opera.com/securitygroup/blog/2013/03/20/on-the-precariousness-of-rc4Advisory
- http://security.gentoo.org/glsa/glsa-201406-19.xmlAdvisory
- http://www.isg.rhul.ac.uk/tls/Advisory
- http://www.mozilla.org/security/announce/2013/mfsa2013-103.htmlAdvisory