Vulnerability Details : CVE-2003-0147
OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal).
Products affected by CVE-2003-0147
- cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6c:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6d:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6b:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6e:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6h:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6i:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.7a:*:*:*:*:*:*:*
- cpe:2.3:a:openssl:openssl:0.9.6g:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.7:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.8:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.14:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.15:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.16:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.12:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.13:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.21:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.17:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.18:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.22:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.10:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.11:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.19:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:3.20:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.04:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.01:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.02:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.03:*:*:*:*:*:*:*
- cpe:2.3:a:stunnel:stunnel:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:openpkg:openpkg:*:*:*:*:*:*:*:*
- cpe:2.3:a:openpkg:openpkg:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:openpkg:openpkg:1.1:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2003-0147
0.86%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2003-0147
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST |
Vendor statements for CVE-2003-0147
-
Red Hat 2007-03-14Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.
References for CVE-2003-0147
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A466
404 Not Found
-
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2003:035
-
http://www.openpkg.com/security/advisories/OpenPKG-SA-2003.019.html
-
http://marc.info/?l=bugtraq&m=104819602408063&w=2
'[OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl)' - MARC
-
http://www.openssl.org/news/secadv_20030317.txt
404 Page not found | Library
-
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0130.html
Vendor Advisory
-
http://www.securityfocus.com/archive/1/316165/30/25370/threaded
-
http://www.debian.org/security/2003/dsa-288
Debian -- The Universal Operating System
-
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000625
CONECTIVA | Análises dos Melhores Produtos Online (#10 Melhores)
-
http://marc.info/?l=bugtraq&m=104829040921835&w=2
'GLSA: openssl (200303-15)' - MARC
-
http://www.gentoo.org/security/en/glsa/glsa-200303-23.xml
Gentoo Linux — Error 404 (Not Found)
-
http://www.redhat.com/support/errata/RHSA-2003-102.html
Support
-
http://marc.info/?l=bugtraq&m=104861762028637&w=2
'GLSA: stunnel (200303-24)' - MARC
-
http://www.redhat.com/support/errata/RHSA-2003-101.html
Support
-
http://marc.info/?l=bugtraq&m=104766550528628&w=2
'Vulnerability in OpenSSL' - MARC
-
ftp://patches.sgi.com/support/free/security/advisories/20030501-01-I
-
ftp://ftp.sco.com/pub/security/OpenLinux/CSSA-2003-014.0.txt
-
http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
-
http://www.kb.cert.org/vuls/id/997481
VU#997481 - Cryptographic libraries and applications do not adequately defend against timing attacksThird Party Advisory;US Government Resource
-
http://www.securityfocus.com/archive/1/316577/30/25310/threaded
-
http://marc.info/?l=bugtraq&m=104792570615648&w=2
'[ADVISORY] Timing Attack on OpenSSL' - MARC
Jump to