What is CVE-2013-2061?

CVE-2013-2061 is a vulnerability in Openvpn, classified under Information Disclosure. Published 2013-11-18.

Is CVE-2013-2061 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Information disclosure in Openvpn

CVE-2013-2061

The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constan…

Vulnerability class: Information Disclosure

EPSS: 0.015 (81.2th percentile) — read the EPSS interpretation.

Affected products

Openvpn — versions 1.2.0, 1.2.1, 1.3.0
Openvpn Openvpn_access_server — versions 2.0.0
Opensuse — versions 11.4
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

Public proof-of-concept exploits

ARPSyndicate/cve-scores

References

FEDORA-2013-7552 (x_refsource_FEDORA, vendor-advisory)
FEDORA-2013-7531 (x_refsource_FEDORA, vendor-advisory)
openSUSE-SU-2013:1645 (vendor-advisory, x_refsource_SUSE, Vendor Advisory)
secalert@redhat.com (x_refsource_CONFIRM)
[oss-security] 20130506 Re: CVE request: OpenVPN use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt (mailing-list, x_refsource_MLIST)
MDVSA-2013:167 (vendor-advisory, x_refsource_MANDRIVA)
openSUSE-SU-2013:1649 (vendor-advisory, x_refsource_SUSE)
secalert@redhat.com (x_refsource_CONFIRM)
secalert@redhat.com (x_refsource_CONFIRM, Exploit, Patch)
secalert@redhat.com (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2013-2061?: CVE-2013-2061 is a vulnerability in Openvpn, classified under Information Disclosure. Published 2013-11-18.
Is CVE-2013-2061 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.