Vulnerability Details : CVE-2013-0250
The init_nss_hash function in exec/totemcrypto.c in Corosync 2.0 before 2.3 does not properly initialize the HMAC key, which allows remote attackers to cause a denial of service (crash) via a crafted packet.
Vulnerability category: Denial of service
Exploit prediction scoring system (EPSS) score for CVE-2013-0250
Probability of exploitation activity in the next 30 days: 1.30%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 84 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2013-0250
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST |
References for CVE-2013-0250
-
http://seclists.org/oss-sec/2013/q1/213
oss-sec: Re: CVE Request -- Corosync (2.0 <= X < 2.3): Remote DoS due improper HMAC initialization
-
http://seclists.org/oss-sec/2013/q1/214
oss-sec: Re: Re: CVE Request -- Corosync (2.0 <= X < 2.3): Remote DoS due improper HMAC initialization
-
http://seclists.org/oss-sec/2013/q1/212
oss-sec: CVE Request -- Corosync (X < 2.0.3): Remote DoS due improper HMAC initialization and improper junk filtering when different encryption keys used
-
https://github.com/corosync/corosync/commit/b3f456a8ceefac6e9f2e9acc2ea0c159d412b595
totemcrypto: fix hmac key initialization · corosync/corosync@b3f456a · GitHubExploit;Patch
Products affected by CVE-2013-0250
- cpe:2.3:a:corosync:corosync:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:corosync:corosync:2.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:corosync:corosync:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:corosync:corosync:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:corosync:corosync:2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:corosync:corosync:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:corosync:corosync:2.1.0:*:*:*:*:*:*:*