CVE-2010-3074 - OpenCVE

SSL_Cipher.cpp in EncFS before 1.7.0 uses an improper combination of an AES cipher and a CBC cipher mode for encrypted filesystems, which allows local users to obtain sensitive information via a watermark attack.

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Arg0	Encfs

Configuration 1 [-]

OR	cpe:2.3:a:arg0:encfs::::::::
	cpe:2.3:a:arg0:encfs:1.4.0:::::::*
	cpe:2.3:a:arg0:encfs:1.4.1:::::::*
	cpe:2.3:a:arg0:encfs:1.4.1.1:::::::*
	cpe:2.3:a:arg0:encfs:1.4.2:::::::*
	cpe:2.3:a:arg0:encfs:1.5.0:::::::*

References

Link	Resource
http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0316.html
http://bugs.gentoo.org/show_bug.cgi?id=335938
http://code.google.com/p/encfs/source/detail?r=59
http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047794.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047798.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047825.html
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html
http://secunia.com/advisories/41158	Vendor Advisory
http://secunia.com/advisories/41478	Vendor Advisory
http://www.arg0.net/encfs
http://www.openwall.com/lists/oss-security/2010/09/05/3
http://www.openwall.com/lists/oss-security/2010/09/06/1
http://www.openwall.com/lists/oss-security/2010/09/07/8
http://www.vupen.com/english/advisories/2010/2414	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=630460

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2010-09-17T17:46:00

Updated: 2011-01-15T10:00:00

Reserved: 2010-08-20T00:00:00

Link: CVE-2010-3074

JSON object: View

NVD Information

Status : Modified

Published: 2010-09-17T18:00:02.667

Modified: 2011-01-14T06:46:32.717

Link: CVE-2010-3074

JSON object: View

Redhat Information

No data.

CWE

CWE-310

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2010-08-26T00:00:00", "descriptions": [{"lang": "en", "value": "SSL_Cipher.cpp in EncFS before 1.7.0 uses an improper combination of an AES cipher and a CBC cipher mode for encrypted filesystems, which allows local users to obtain sensitive information via a watermark attack."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2011-01-15T10:00:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "41158", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/41158"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=630460"}, {"name": "41478", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/41478"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://code.google.com/p/encfs/source/detail?r=59"}, {"name": "FEDORA-2010-14268", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047794.html"}, {"name": "FEDORA-2010-14200", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047825.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://bugs.gentoo.org/show_bug.cgi?id=335938"}, {"name": "SUSE-SR:2010:023", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html"}, {"name": "20100826 Multiple Vulnerabilities in EncFS", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0316.html"}, {"name": "[oss-security] 20100905 CVE Request -- EncFS / fuse-encfs [three ids] -- Multiple Vulnerabilities in EncFS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2010/09/05/3"}, {"name": "[oss-security] 20100907 Re: CVE Request -- EncFS / fuse-encfs [three ids] -- Multiple Vulnerabilities in EncFS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2010/09/07/8"}, {"name": "[oss-security] 20100905 Re: CVE Request -- EncFS / fuse-encfs [three ids] -- Multiple Vulnerabilities in EncFS", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2010/09/06/1"}, {"name": "ADV-2010-2414", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2010/2414"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.arg0.net/encfs"}, {"name": "FEDORA-2010-14254", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047798.html"}]}}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2010-3074", "datePublished": "2010-09-17T17:46:00", "dateReserved": "2010-08-20T00:00:00", "dateUpdated": "2011-01-15T10:00:00", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arg0:encfs:*:*:*:*:*:*:*:*", "matchCriteriaId": "B958CC56-A363-4A93-8AB7-4435FBB14373", "versionEndIncluding": "1.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:arg0:encfs:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "2A30A73A-DB18-4D44-85C1-9F6967A3EE5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:arg0:encfs:1.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "D8F97913-1DF7-4F49-A86F-382D4C77C9C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:arg0:encfs:1.4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "E8CA1DC0-1445-4F8C-8A0A-0131D2ACF54E", "vulnerable": true}, {"criteria": "cpe:2.3:a:arg0:encfs:1.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "4ED7EF13-E6EA-4E31-A4A8-067819DA854A", "vulnerable": true}, {"criteria": "cpe:2.3:a:arg0:encfs:1.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "755C05A8-A1E0-46AF-A4A6-BF01469B1AA1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SSL_Cipher.cpp in EncFS before 1.7.0 uses an improper combination of an AES cipher and a CBC cipher mode for encrypted filesystems, which allows local users to obtain sensitive information via a watermark attack."}, {"lang": "es", "value": "SSL_Cipher.cpp en EncFS anterior a v1.7.0 utiliza una combinaci\u00f3n inadecuada de un sistema de cifrado AES y un modo de cifrado CBC para sistemas de archivos cifrados, lo cual permite a usuarios locales obtener informaci\u00f3n sensible mediante un ataque de marca de agua."}], "id": "CVE-2010-3074", "lastModified": "2011-01-14T06:46:32.717", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2010-09-17T18:00:02.667", "references": [{"source": "secalert@redhat.com", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2010-08/0316.html"}, {"source": "secalert@redhat.com", "url": "http://bugs.gentoo.org/show_bug.cgi?id=335938"}, {"source": "secalert@redhat.com", "url": "http://code.google.com/p/encfs/source/detail?r=59"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047794.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047798.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047825.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00000.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/41158"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://secunia.com/advisories/41478"}, {"source": "secalert@redhat.com", "url": "http://www.arg0.net/encfs"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2010/09/05/3"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2010/09/06/1"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2010/09/07/8"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.vupen.com/english/advisories/2010/2414"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=630460"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}