search menu icon-carat-right cmu-wordmark

CERT Coordination Center


SSL/TLS implementations disclose side channel information via PKCS #1 v1.5 version number extension

Vulnerability Note VU#888801

Original Release Date: 2003-04-23 | Last Revised: 2004-08-25

Overview

SSL/TLS implementations that respond distinctively to an incorrect PKCS #1 v1.5 encoded SSL/TLS version number expose the premaster secret to a modified Bleichenbacher attack. An attacker could decrypt a given SSL/TLS session or forge a signature on behalf of a vulnerable application's private RSA key.

Description

Vlastimil Klíma, Ondᖞj Pokorný, and Tomáš Rosa have published a research paper describing a modified Bleichenbacher attack against RSA-based SSL/TLS applications. As in Bleichenbacher, the new attack uses side channel information from error messages and seeks to discover the premaster secret that is used as a basis for SSL/TLS session keys.

The Bleichenbacher attack (CA-1998-07) is computationally feasible against RSA-based applications that use Public-Key Cryptography Standard (PKCS) #1 v1.5 and return distinctive errors when the premaster secret in the Client hello message is not properly formatted. By sending a large number of chosen ciphertexts (premaster secrets) and monitoring the applications' responses, an attacker can discover the correct premaster secret for a given SSL/TLS session. With the premaster secret for a previously captured SSL/TLS session, the attacker can generate the correct master secret and session keys and decrypt the captured session. For more information about the Bleichenbacher attack, see Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1, RSA Laboratories Bulletin Number 7, and CERT Advisory CA-1998-07.

A widely accepted defense against the Bleichenbacher attack is for an RSA/PKCS #1 application to discard a malformed premaster secret, replace it with a random value, and proceed to generate a master secret and session keys. Since the client and server use different values for the premaster secret, they will generate different session keys, and the SSL/TLS session will fail. Note that the server must not provide a response that is distinguishable based on syntax (i.e. "Bad PKCS #1 format") or time (i.e. sending an error message immediately after discovering that the premaster secret is malformed).

The Klíma-Pokorný-Rosa attack exploits server responses to an incorrect or unexpected SSL/TLS version number that is included as part of the premaster secret (RFC 2246 section 7.4.7.1). If a server decrypts a properly formatted PKCS #1 premaster secret and discovers that the SSL/TLS version number is not what was expected, the server may immediately send an error message ("Bad SSL/TLS version number"). The authors term a server that exhibits this behavior a "bad version oracle (BVO)." Instead of using an error response to improper PKCS #1 formatting, this new attack uses an error response to an incorrect SSL/TLS version number. Klíma-Pokorný-Rosa have also introduced some optimizations to the Bleichenbacher attack, partly due to the SSL/TLS standard only using a subset of the PKCS #1 v1.5 format (section 3.2). This allows an attacker to search less space for the correct premaster secret.

This attack is feasible using widely available hardware. Under ideal laboratory conditions (100Mbps closed network, unloaded server with 2 X Pentium III 1.4GHz CPUs and 1 GB of RAM, Red Hat Linux 7.2, Apache 1.3.27/mod_ssl), the median time required for a successful attack is around 54.7 hours (~13 million guesses).

Since the SSL/TLS version number is a protocol-specific extension of the PKCS #1 format, other applications that use RSA/PKCS #1 to exchange keying information are not vulnerable to this attack. In particular, SSH1 using RSA only encrypts a session key. No version or other information is included. IKE authenticated with public key encryption is further protected by an ephemeral Diffe-Hellman exchange. For specific vendor information, see the Systems Affected section below.

Impact

An attacker who is able to capture an encrypted SSL/TLS session and query the server while it is using the same private RSA key that was used for the captured session could decrypt the captured session. An attacker could also forge a signature that appeared to be from the server (section 3.4).

Solution

Upgrade or Patch

Upgrade or apply a patch as specified by your vendor. In order to defeat this specific attack, an SSL/TLS server must not respond distinctively when a premaster secret sent by the client contains an incorrect or unexpected SSL/TLS version number. The paper recommends that an SSL/TLS server always replace the client-provided version number with the expected version number as determined from either the Client hello or Server hello messages (section 6.2).

Manage private keys

Use different private keys for different applications and servers and change keys as appropriate for your site and security policy. An attacker cannot decrypt a premaster secret encrypted with one RSA key by querying a server that uses a different key.
Monitor SSL/TLS applications and servers

Monitor RSA applications and servers for signs of attack. In the case of an attack against SSL/TLS web servers, logs may show a relatively high number of network connections and failed attempts to establish SSL/TLS sessions. Depending on baseline performance, servers may show increased CPU usage or an above average number of network connections.

Vendor Information

888801
Expand all

Apple Computer Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

Apple: The patch from the OpenSSL team to fix this vulnerability is available in Mac OS X 10.2.5, and may be obtained via: http://www.info.apple.com/support/downloads.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See also: APPLE-SA-2003-04-10.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see CLSA-2003:625.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

We have addressed this issue in DSA 288

http://www.debian.org/security/2003/dsa-288

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks

Notified:  April 18, 2003 Updated:  April 18, 2003

Status

  Vulnerable

Vendor Statement

F5 Networks has released a patch for the following products and versions:

BIG-IP versions 4.2 through 4.5
3-DNS versions 4.2 through 4.5
BIG-IP Blade Controller version 4.2.3 PTF-01

Patch locations and more information can be found here:

http://tech.f5.com/home/bigip/solutions/security/sol2379.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see FreeBSD-SA-03:06.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU TLS

Notified:  April 15, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in GnuTLS 0.8.5.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://forums.gentoo.org/viewtopic.php?t=43402>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Guardian Digital Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see ESA-20030320-010.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  April 18, 2003 Updated:  April 29, 2003

Status

  Vulnerable

Vendor Statement

SOURCE: Hewlett-Packard Company HP Services Software Security Response Team
x-ref: SSRT3518, SSRT3499

At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products.

As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see HPSBUX0304-0255/SSRT3499.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM

Notified:  April 18, 2003 Updated:  June 17, 2003

Status

  Vulnerable

Vendor Statement

The AIX operating system does not ship with SSL. However, SSL is available for installation on AIX from the Linux Affinity Toolbox.

The Linux Affinity Toolbox contains OpenSSL 0.9.6g-3 which is not vulnerable to the issues discussed in CERT Vulnerability Note VU#888801 and any advisories which follow.

Users using an earlier version of OpenSSL should download the most recent version as soon as possible.

The Linux Affinity Toolbox is available at:

http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html

This software is offered on an "as-is" and is unwarranted.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ingrian Networks

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

Ingrian Networks has addressed the Klima-Pokorny-Rosa attack in release 2.9.0. See http://www.ingrian.com/support or your Ingrian service representative.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mirapoint

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

Mirapoint released a fix for the attack described by Klima-Pokorny-Rosa on February 21, 2003. Details of the patch that addresses this (D3_SSL) can be found on the Mirapoint secure support center.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetBSD

Notified:  April 18, 2003 Updated:  April 21, 2003

Status

  Vulnerable

Vendor Statement

No services using SSL/TLS are enabled by default in NetBSD, however, by enabling services built with these libraries, a system could become vulnerable to the compromise.
A description and resolution procedure is available here:

ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-007.txt.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See also the list of patches included in NetBSD 1.6.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenBSD

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.openbsd.org/errata32.html#kpr>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenPKG

Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see OpenPKG-SA-2003.026.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSL

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in OpenSSL 0.9.7b and 0.9.6j. OpenSSL has also posted an advisory that includes a patch for earlier versions.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Notified:  April 18, 2003 Updated:  April 18, 2003

Status

  Vulnerable

Vendor Statement

Various Red Hat products have shipped with OpenSSL packages vulnerable to this issue. Updated OpenSSL packages that contain a backported security patch to protect against this vulnerability are available along with our advisories at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool.
Red Hat Linux:

http://rhn.redhat.com/errata/RHSA-2003-101.html
Red Hat Enterprise Linux:

http://rhn.redhat.com/errata/RHSA-2003-102.html
Red Hat Stronghold Web Server 4 (Cross platform):

http://rhn.redhat.com/errata/RHSA-2003-116.html
Red Hat Stronghold Web Server 3:

http://rhn.redhat.com/errata/RHSA-2003-117.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Notified:  April 18, 2003 Updated:  May 15, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SGI Security Advisory 20030501-01-I.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SSH Communications Security

Notified:  April 18, 2003 Updated:  May 23, 2003

Status

  Vulnerable

Vendor Statement

SSH Communications Security Vendor statement for VU#888801

Not vulnerable products:

SSH Secure Shell for Servers (all versions)
SSH Secure Shell for Windows Servers (all versions)
SSH Secure Shell for Workstations (all versions)

The ssh1, ssh2 and ssh-agent protocols and applications are not vulnerable to the Klima-Pokorny-Rosa (KPR) attack because no error messages are reported from PKCS1 v1.5 decryption other than invalid PKCS1 padding. This implies there are no effective extensions to the Bleichenbacher attack such as the KPR attack against Secure Shell. The ssh1 and ssh-agent protocols have countermeasures against the Bleichenbacher attack and it is not applicable against ssh2.

Vulnerable products:

SSH Certificate/TLS Toolkit up to and including version 5.1.1
SSH IPSEC Express Toolkit up to and including version 5.1.1

A fix is available and has been delivered to SSH customers.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sorceror Linux

Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.securityfocus.com/archive/1/315884/2003-03-19/2003-03-25/0>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Stonesoft

Notified:  April 18, 2003 Updated:  June 02, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

<http://www.stonesoft.com/document/art/2949.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see SuSE-SA:2003:024.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux

Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see TSL-2003-0013.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wirex

Notified:  April 18, 2003 Updated:  April 18, 2003

Status

  Vulnerable

Vendor Statement

A patch has been made available, for more information please see:

http://download.immunix.org/ImmunixOS/7+/Updates/errata/IMNX-2003-7+-001-01

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

eSoft

Notified:  April 18, 2003 Updated:  June 02, 2003

Status

  Vulnerable

Vendor Statement

eSoft InstaGate software prior to version 3.1.20030425 is vulnerable. Customers can upgrade to version 3.1.20030425 through SoftPak Director.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

mod_ssl

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

mod_ssl itself is not directly vulnerable. To address this vulnerability in an Apache 1.3.x/mod_ssl system, however, mod_ssl needs to be linked against a patched/updated (0.9.7b/0.9.6j) version of OpenSSL.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Bitvise

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Clavister

Notified:  April 18, 2003 Updated:  May 23, 2003

Status

  Not Vulnerable

Vendor Statement

Clavister Firewall: Not Vulnerable
Clavister VPN Client: Not Vulnerable

The IKE protocol is not vulnerable to the Klima-Pokorny-Rosa attack, as it does not provide the necessary "clues" for the Bad Version Oracle to work with.

Even IKE with RSA encryption, which is an unusual IKE mode of operation that Clavister products does not do, should be immune to this attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Covalent

Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

Covalent Technologies SSL implementations are NOT vulnerable to this or other variants of the Klima-Pokorny-Rosa attacks. No action by Covalent Technologies customers using Covalent SSL products is necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cryptlib

Notified:  April 18, 2003 Updated:  April 28, 2003

Status

  Not Vulnerable

Vendor Statement

cryptlib returns a purely boolean yes/no response to incorrect data in the RSA-encrypted premaster secret, with no specific error details provided. It is not vulnerable to the bad-version oracle attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreSSH

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu

Notified:  April 18, 2003 Updated:  June 02, 2003

Status

  Not Vulnerable

Vendor Statement

Fujitsu's UXP/V o.s. is not affected by the problem in VU#888801 because it does not support the RSA-based SSL/TLS.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU Libgcrypt

Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

Libgcrypt only recently provides pkcs#1 creation within the library but there is no pkcs#1 parsing yet implemented. So Libgcrypt itself is too dumb to be affected. GnuPG is not affected because it is a store and forward system and not easily usable in an online setting.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU adns

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

GNU glibc

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

...glibc doesn't do RSA.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hitachi

Notified:  April 18, 2003 Updated:  May 21, 2003

Status

  Not Vulnerable

Vendor Statement

Hitachi Web Server is NOT Vulnerable to this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IP Filter

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

KAME Project

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The KAME IKE daemon (racoon) does not support the "Authenticated With Public Key Encryption" exchange methods.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MacSSH

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netfilter

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

The netfilter/iptables subsystem of the linux kernel is not affected, since it doesn't include any SSL/TLS support.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

OpenSSH

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

PuTTY

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

PuTTY cannot be vulnerable to any attack of this type in the SSH1 transport layer, since it is an SSH client only and the RSA decryption is done in the server. An SSH agent could feasibly be vulnerable if it reported SSH_AGENT_FAILURE in response to PKCS encoding errors, but PuTTY's agent implementation (Pageant) will never do this, so it is believed safe.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RSA Security

Notified:  April 18, 2003 Updated:  May 21, 2003

Status

  Not Vulnerable

Vendor Statement

RSA BSAFE SSL-C (all versions) SSLv3 and TLSv1 implementations are not vulnerable to the Klima-Pokorny-Rosa attack.

RSA BSAFE SSL-J SSLv3 and TLSv1 implementations are not vulnerable to the Klima-Pokorny-Rosa attack.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

TTSSH/TeraTerm

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

TTSSH is not vulnerable because there is no way to get TTSSH to perform a large number of RSA operations automatically. We perform one or two RSA operations each time the user connects to the server, and every server connection requires user interaction.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VanDyke Software Inc.

Notified:  April 18, 2003 Updated:  May 27, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WinSCP

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

djbdns

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

lsh

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

3Com

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

AT&T

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Alcatel

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apache-SSL

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Avaya

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BlueCat Networks

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

BorderWare

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Check Point

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Computer Associates

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Crypto++

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

D-Link Systems

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Data General

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Entrust

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Extreme Networks

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F-Secure

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Foundry Networks Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeS/WAN

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Global Technology Associates

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ISC

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

InfoBlox

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intel

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Internet Initiative Japan (IIJ)

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Interpeak

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intersoft International Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Intoto

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lotus Software

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Lucent Technologies

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MDKSA-2003:035.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Massachusetts Institute of Technology (MIT)

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Men&Mice

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MetaSolv Software Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Microsoft Corporation

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Multi-Tech Systems Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MultiNet

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

National Center for Supercomputing Applications (NCSA)

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

National Institute of Standards and Technology (NIST)

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetScreen

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Netcomposite

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Appliance

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Network Associates

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nixu

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nokia

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nominum

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Nortel Networks

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Novell

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Pragma Systems

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Redback Networks Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Riverstone Networks

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SafeNet

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Secure Computing Corporation

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SecureWorx

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sequent

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ShadowSupport

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sony Corporation

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Symantec Corporation

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The SCO Group

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Threshold Networks

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Unisys

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

WatchGuard

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Wind River Systems Inc.

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

ZyXEL

Notified:  April 18, 2003 Updated:  April 22, 2003

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was researched and documented by Vlastimil Klíma, Ondřej Pokorný, and Tomáš Rosa.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2003-0131
Severity Metric: 4.05
Date Public: 2003-03-19
Date First Published: 2003-04-23
Date Last Updated: 2004-08-25 17:58 UTC
Document Revision: 49

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.