• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Lincoln D. Stein Crypt::CBC Perl Module Weak Ciphertext Vulnerability

Crypt::CBC is prone to a weak-ciphertext vulnerability. This issue stems from a flaw in its creation of IVs (Initialization Vectors) for ciphers with a blocksize larger than 8.

This issue results in the creation of ciphertext that contains bytes encrypted with a constant null IV. This ciphertext is prone to differential cryptanalysis, aiding attackers in compromising the plaintext of encrypted data.

The level of difficulty attackers may face trying to exploit this flaw is currently unknown, but data encrypted with vulnerable versions of Crypt::CBC should be considered insecure.

Versions prior to Crypt::CBC 2.17 are vulnerable to this issue if they use the 'RandomIV' header style.