Home > Vulnerability Database > CVE-2015-2808

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2015-2808

Date: March 31, 2015

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.

Severity Score

5.3

Related Resources (105)

Url: http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-454055.htm

Url: https://www.secpod.com/blog/cve-2015-2808-bar-mitzvah-attack-in-rc4-2/

Url: http://rhn.redhat.com/errata/RHSA-2015-1228.html

Url: http://marc.info/?l=bugtraq&m=144043644216842&w=2

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05085988

Url: http://www.securitytracker.com/id/1032734

Url: http://www.debian.org/security/2015/dsa-3339

Url: http://www.securitytracker.com/id/1032858

Url: http://rhn.redhat.com/errata/RHSA-2015-1230.html

Url: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04770140

Url: http://www.securitytracker.com/id/1033386

Url: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773256

Url: http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00022.html

Url: https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04711380

Url: http://marc.info/?l=bugtraq&m=144102017024820&w=2

Url: http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00004.html

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05336888

Url: http://www.securitytracker.com/id/1033415

Url: http://www.securityfocus.com/bid/91787

Url: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04926789

Url: http://www.securitytracker.com/id/1032600

Url: http://rhn.redhat.com/errata/RHSA-2015-1243.html

Url: http://marc.info/?l=bugtraq&m=143741441012338&w=2

Url: http://www-01.ibm.com/support/docview.wss?uid=swg1IV71888

Url: http://www-304.ibm.com/support/docview.wss?uid=swg21960015

Url: https://security-tracker.debian.org/tracker/CVE-2015-2808

Url: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

Url: http://www.ubuntu.com/usn/USN-2696-1

Url: http://rhn.redhat.com/errata/RHSA-2015-1526.html

Url: http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

Url: http://www.securitytracker.com/id/1032910

Url: http://www.debian.org/security/2015/dsa-3316

Url: http://www.securitytracker.com/id/1032599

Url: http://marc.info/?l=bugtraq&m=143456209711959&w=2

Url: https://nvd.nist.gov/vuln/detail/CVE-2015-2808

Url: http://rhn.redhat.com/errata/RHSA-2015-1241.html

Url: http://www.securitytracker.com/id/1032990

Url: http://www-304.ibm.com/support/docview.wss?uid=swg21960769

Url: http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00040.html

Url: http://marc.info/?l=bugtraq&m=143817899717054&w=2

Url: http://marc.info/?l=bugtraq&m=144104533800819&w=2

Url: http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00046.html

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05193347

Url: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773119

Url: https://h20566.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04708650

Url: https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5098709

Url: http://www.securitytracker.com/id/1032868

Url: http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00039.html

Url: http://marc.info/?l=bugtraq&m=143629696317098&w=2

Url: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04773241

Url: http://www.securitytracker.com/id/1033431

Url: http://www.securitytracker.com/id/1033432

Url: http://rhn.redhat.com/errata/RHSA-2015-1020.html

Url: http://rhn.redhat.com/errata/RHSA-2015-1007.html

Url: https://kb.juniper.net/JSA10783

Url: http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00014.html

Url: http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00031.html

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

Url: https://security.gentoo.org/glsa/201512-10

Url: http://rhn.redhat.com/errata/RHSA-2015-1006.html

Url: http://marc.info/?l=bugtraq&m=144059660127919&w=2

Url: http://marc.info/?l=bugtraq&m=143817021313142&w=2

Url: http://www-01.ibm.com/support/docview.wss?uid=swg21883640

Url: http://rhn.redhat.com/errata/RHSA-2015-1021.html

Url: http://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c04779034

Url: http://marc.info/?l=bugtraq&m=144104565600964&w=2

Url: http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html

Url: http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00005.html

Url: http://www.securitytracker.com/id/1033737

Url: http://marc.info/?l=bugtraq&m=144069189622016&w=2

Url: http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00015.html

Url: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04832246

Url: http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Url: https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf

Url: http://www.ubuntu.com/usn/USN-2706-1

Url: http://www-01.ibm.com/support/docview.wss?uid=swg1IV71892

Url: http://www.securityfocus.com/bid/73684

Url: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04687922

Url: http://www.securitytracker.com/id/1033769

Url: http://marc.info/?l=bugtraq&m=144493176821532&w=2

Url: http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00047.html

Url: http://marc.info/?l=bugtraq&m=144060576831314&w=2

Url: http://marc.info/?l=bugtraq&m=144060606031437&w=2

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

Url: http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00000.html

Url: http://www-304.ibm.com/support/docview.wss?uid=swg21903565

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289935

Url: http://www.securitytracker.com/id/1032708

Url: http://www.securitytracker.com/id/1032707

Url: https://kc.mcafee.com/corporate/index?page=content&id=SB10163

Url: http://www.securitytracker.com/id/1032788

Url: http://lists.opensuse.org/opensuse-security-announce/2015-06/msg00013.html

Url: http://rhn.redhat.com/errata/RHSA-2015-1091.html

Url: http://marc.info/?l=bugtraq&m=143818140118771&w=2

Url: http://www.huawei.com/en/psirt/security-advisories/hw-454055

Url: https://access.redhat.com/security/cve/CVE-2015-2808

Url: http://rhn.redhat.com/errata/RHSA-2015-1229.html

Url: http://www.securitytracker.com/id/1036222

Url: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04772190

Url: http://marc.info/?l=bugtraq&m=144059703728085&w=2

Url: http://rhn.redhat.com/errata/RHSA-2015-1242.html

Url: http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727

Url: http://www.securitytracker.com/id/1033071

Url: http://www.securitytracker.com/id/1033072

Url: https://www.mend.io/vulnerability-database/CVE-2015-2808

Severity Score

5.3

Weakness Type (CWE)

Use of a Broken or Risky Cryptographic Algorithm

CWE-327

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Do you need more information?

Contact Us