Vulnerability Name:

CVE-2010-3075 (CCN-61462)

Assigned:2010-08-26
Published:2010-08-26
Updated:2010-09-20
Summary:EncFS before 1.7.0 encrypts multiple blocks by means of the CFB cipher mode with the same initialization vector, which makes it easier for local users to obtain sensitive information via calculations involving recovery of XORed data, as demonstrated by an attack on encrypted data in which the last block contains only one byte.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
4.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:W/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.5 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:W/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-310
Vulnerability Consequences:Obtain Information
References:Source: CCN
Type: Full-Disclosure Mailing List, Thu Aug 26 2010
Multiple Vulnerabilities in EncFS

Source: FULLDISC
Type: UNKNOWN
20100826 Multiple Vulnerabilities in EncFS

Source: MITRE
Type: CNA
CVE-2010-3075

Source: FEDORA
Type: UNKNOWN
FEDORA-2010-14268

Source: FEDORA
Type: UNKNOWN
FEDORA-2010-14254

Source: FEDORA
Type: UNKNOWN
FEDORA-2010-14200

Source: CCN
Type: SA41158
EncFS Multiple Weaknesses

Source: SECUNIA
Type: Vendor Advisory
41158

Source: SECUNIA
Type: Vendor Advisory
41478

Source: CONFIRM
Type: UNKNOWN
http://www.arg0.net/encfs

Source: CCN
Type: EncFS Web Site
EncFS 1.7 -- August 29, 2010

Source: MLIST
Type: UNKNOWN
[oss-security] 20100905 CVE Request -- EncFS / fuse-encfs [three ids] -- Multiple Vulnerabilities in EncFS

Source: MLIST
Type: UNKNOWN
[oss-security] 20100905 Re: CVE Request -- EncFS / fuse-encfs [three ids] -- Multiple Vulnerabilities in EncFS

Source: MLIST
Type: UNKNOWN
[oss-security] 20100907 Re: CVE Request -- EncFS / fuse-encfs [three ids] -- Multiple Vulnerabilities in EncFS

Source: CCN
Type: OSVDB ID: 68078
EncFS CFB Cipher Mode Last Block Single Byte Weakness

Source: CCN
Type: BID-42779
EncFS Flawed CBC/CFB Cryptography Implementation Weaknesses

Source: VUPEN
Type: Vendor Advisory
ADV-2010-2414

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=630460

Source: XF
Type: UNKNOWN
encfs-cfb-information-disclosure(61462)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:arg0:encfs:1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:arg0:encfs:1.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:arg0:encfs:1.4.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:arg0:encfs:1.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:arg0:encfs:1.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:arg0:encfs:*:*:*:*:*:*:*:* (Version <= 1.6.0)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20103075
    V
    		CVE-2010-3075
    2015-11-16
    oval:com.ubuntu.xenial:def:201030750000000
    V
    		CVE-2010-3075 on Ubuntu 16.04 LTS (xenial) - medium.
    2010-09-17
    oval:com.ubuntu.artful:def:20103075000
    V
    		CVE-2010-3075 on Ubuntu 17.10 (artful) - medium.
    2010-09-17
    oval:com.ubuntu.xenial:def:20103075000
    V
    		CVE-2010-3075 on Ubuntu 16.04 LTS (xenial) - medium.
    2010-09-17
    oval:com.ubuntu.bionic:def:20103075000
    V
    		CVE-2010-3075 on Ubuntu 18.04 LTS (bionic) - medium.
    2010-09-17
    oval:com.ubuntu.precise:def:20103075000
    V
    		CVE-2010-3075 on Ubuntu 12.04 LTS (precise) - medium.
    2010-09-17
    oval:com.ubuntu.bionic:def:201030750000000
    V
    		CVE-2010-3075 on Ubuntu 18.04 LTS (bionic) - medium.
    2010-09-17
    oval:com.ubuntu.trusty:def:20103075000
    V
    		CVE-2010-3075 on Ubuntu 14.04 LTS (trusty) - medium.
    2010-09-17
    BACK
    arg0 encfs 1.4.0
    arg0 encfs 1.4.1
    arg0 encfs 1.4.1.1
    arg0 encfs 1.4.2
    arg0 encfs 1.5.0
    arg0 encfs *