CVE-2003-0078

Published: Mar 3, 2003Modified: Apr 16, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack."

Affected (18)

Products: Openssl: Openssl · Freebsd: Freebsd · Openbsd: Openbsd

1 product

1 product

1 product

Configuration A

9 vulnerable

Vulnerable Software	Affected Versions
Openssl Openssl	Before 0.9.6i
Openssl Openssl	Version 0.9.6i
Openssl Openssl	Version 0.9.7
Openssl Openssl	Version 0.9.7 beta1
Openssl Openssl	Version 0.9.7 beta2
Openssl Openssl	Version 0.9.7 beta3
Openssl Openssl	Version 0.9.7 beta4
Openssl Openssl	Version 0.9.7 beta5
Openssl Openssl	Version 0.9.7 beta6

Configuration B

9 vulnerable

Vulnerable Software	Affected Versions
Freebsd Freebsd	Version 4.2
Freebsd Freebsd	Version 4.3
Freebsd Freebsd	Version 4.4
Freebsd Freebsd	Version 4.5
Freebsd Freebsd	Version 4.6
Freebsd Freebsd	Version 4.7
Freebsd Freebsd	Version 5.0
Openbsd Openbsd	Version 3.1
Openbsd Openbsd	Version 3.2

Related CWEs

CWE-203

Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (40)

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc (unsafe URL)

Source: cve@mitre.org

Broken Link

ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I (unsafe URL)

Source: cve@mitre.org

Broken Link

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000570

Source: cve@mitre.org

Broken Link

http://marc.info/?l=bugtraq&m=104567627211904&w=2

Source: cve@mitre.org

Third Party Advisory

http://marc.info/?l=bugtraq&m=104568426824439&w=2

Source: cve@mitre.org

Third Party Advisory

http://marc.info/?l=bugtraq&m=104577183206905&w=2

Source: cve@mitre.org

Third Party Advisory

http://www.ciac.org/ciac/bulletins/n-051.shtml

Source: cve@mitre.org

Broken Link

http://www.debian.org/security/2003/dsa-253

Source: cve@mitre.org

Broken LinkVendor Advisory

http://www.iss.net/security_center/static/11369.php

Source: cve@mitre.org

Broken LinkVendor Advisory

http://www.linuxsecurity.com/advisories/engarde_advisory-2874.html

Source: cve@mitre.org

Broken Link

http://www.mandrakesoft.com/security/advisories?name=MDKSA-2003:020

Source: cve@mitre.org

Broken Link

http://www.openssl.org/news/secadv_20030219.txt

Source: cve@mitre.org

Broken LinkPatchVendor Advisory

http://www.osvdb.org/3945

Source: cve@mitre.org

Broken Link

http://www.redhat.com/support/errata/RHSA-2003-062.html

Source: cve@mitre.org

Broken Link

http://www.redhat.com/support/errata/RHSA-2003-063.html

Source: cve@mitre.org

Broken Link

http://www.redhat.com/support/errata/RHSA-2003-082.html

Source: cve@mitre.org

Broken Link

http://www.redhat.com/support/errata/RHSA-2003-104.html

Source: cve@mitre.org

Broken Link

http://www.redhat.com/support/errata/RHSA-2003-205.html

Source: cve@mitre.org

Broken Link

http://www.securityfocus.com/bid/6884

Source: cve@mitre.org

Broken LinkThird Party AdvisoryVDB Entry

http://www.trustix.org/errata/2003/0005

Source: cve@mitre.org

Broken Link

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-001.txt.asc (unsafe URL)