IBM Tivoli Directory Server < 6.0.0.72 / 6.1.0.55 / 6.2.0.30 / 6.3.0.22 with GSKit < 7.0.4.45 / 8.0.14.27 TLS Side-Channel Timing Information Disclosure

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote host has a library installed that is affected by an
information disclosure vulnerability.

Description :

The remote host is running a version of IBM Tivoli Directory Server
and a version of IBM Global Security Kit (GSKit) that is affected by
an information disclosure vulnerability. The Transport Layer Security
(TLS) protocol does not properly consider timing side-channel attacks,
which allows remote attackers to conduct distinguishing attacks and
plain-text recovery attacks via statistical analysis of timing data
for crafted packets. This type of exploitation is known as the 'Lucky
Thirteen' attack.

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg21638270

Solution :

Install the appropriate fix based on the vendor's advisory :

- 6.0.0.72-ISS-ITDS
- 6.1.0.55-ISS-ITDS
- 6.2.0.30-ISS-ITDS
- 6.3.0.22-ISS-ITDS

Alternatively, upgrade GSKit to 7.0.4.45 or 8.0.50.4 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:ND/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 80481 ()

Bugtraq ID: 57778

CVE ID: CVE-2013-0169

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now