LUCKY13 (CVE-2013-0169), experimental : is the issue FP?

[samvejha]

Please find the details about the issue "LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches" while openssl version seems to have fixed it.

1. testssl version from the banner (testssl.sh -b 2>/dev/null | head -4 | tail -2)
   2.9dev from https://testssl.sh/dev/
2. what exactly was happening, output is needed
   LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
3. what did you expect instead?
   LUCKY13 Not vulnerable
4. steps to reproduce
   1. testssl.sh command line
      ./testssl.sh :
   2. openssl version used (testssl.sh -b 2>/dev/null | head -16 | tail -3)
      OpenSSL 1.0.1e-fips 11 Feb 2013
   3. your operating system (uname -a)
      Linux GNU/Linux

-Thanks
Samvedna

[drwetter]

Hei, testssl.sh cannot check this from external. In fact no tool can reliably, even not TLS-Attacker. Atm I think it's the best what the tool can do. Admittedly as time passed by chances that one runs a vulnerable openssl version became less likely. Cheers, Dirk

…

-- Sent from my mobile. Excuse my brevity&typos+the phone's autocorrection

[LeslieGerman]

Hi Dirk,

So actually we can treat this as false positive, like you mentioned this in another response, am I right?
What is somewhat disturbing is, that the word "VULNERABLE" appears in the log, so script based log-processing cannot reliable based on detecting this "VULNERABLE" word in the log...

Thanks,
László

[drwetter]

László,

it's not at all a FP. You omitted the tiny word "potential" which matters. You should take the whole finding as a suggestion to check the server side and check for the word "potentially" in the finding.

I am open for suggestions what can be done better. But I see only two possibilities:

1. potentially VULNERABLE (= leave it like it is)
2. toss the whole check -- which I don't really want to.

Cheers, Dirk

[srikanth1201]

Please provide me solution of below vulnerability for nginx.

LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches

nginx version: nginx/1.13.12