CVEs Impacting TLS 1.0
TLS 1.0 (RFC 2246, published 1999) is deprecated (RFC 8996, 2021) primarily due to inherent protocol weaknesses, such as vulnerabilities in its cipher block chaining (CBC) mode and support for outdated cryptographic primitives.
Enabling TLS 1.0 exposes systems to man-in-the-middle (MITM) attacks, session hijacking, and data decryption. Below are major associated CVEs:
• CVE-2011-3389 (BEAST): Exploits predictable initialization vectors in TLS 1.0 CBC mode, allowing attackers to decrypt encrypted cookies via chosen-plaintext attacks in browsers. Mitigation: Disable TLS 1.0 or use RC4 (now also insecure).
• CVE-2014-3566 (POODLE): Padding oracle attack that forces fallback to SSL 3.0 but impacts TLS 1.0 implementations with incomplete padding checks, enabling byte-by-byte decryption of sensitive data like authentication tokens.
• CVE-2013-0169 (Lucky Thirteen): Timing-based padding oracle attack on CBC ciphers in TLS 1.0, allowing decryption of up to 64 bytes of plaintext per session by exploiting implementation side-channels.
• CVE-2016-2183 (Sweet32): Birthday attack on 64-bit block ciphers (e.g., 3DES) in TLS 1.0, enabling key recovery after ~785 GB of traffic, compromising encrypted sessions.
• CVE-2014-0160 (Heartbleed): OpenSSL buffer over-read bug affecting TLS 1.0 handshakes, leaking server memory including private keys and client data (impacts ~17% of internet servers at disclosure).
• CVE-2023-22812: SanDisk PrivateAccess software supports TLS 1.0, enabling MITM attacks due to weak protocol security.
• CVE-2022-36937: HHVM versions use TLS 1.0 for stream extensions, exposing connections to known protocol flaws like those above.
• CVE-2024-23656: Allows decryption of TLS 1.0 traffic in Dex systems via protocol weaknesses.
CVEs Impacting TLS 1.2
TLS 1.2 (RFC 5246, published 2008) is more secure than TLS 1.0 but still vulnerable to attacks exploiting legacy ciphers, compression, and handshake flaws (many shared with earlier versions). It’s recommended to phase out weak configurations in favor of TLS 1.3. Major associated CVEs:
• CVE-2015-7575 (SLOTH): “Transcript collision” attack on hash functions (e.g., MD5) in TLS 1.2 handshakes, allowing downgrade to weak signatures and MITM forgery of RSA keys.
• CVE-2022-38153: Handshake crash vulnerability in TLS 1.2, exploitable by MITM attackers or malicious servers to deny service on affected clients.
• CVE-2013-3587 (BREACH): Exploits HTTP compression in TLS 1.2 to exfiltrate sensitive data (e.g., CSRF tokens) from encrypted responses in as few as 30 seconds.
• CVE-2014-0224 (CCS Injection): Allows injection of arbitrary content during TLS 1.2 handshakes via malformed ChangeCipherSpec messages, enabling session hijacking.
• CVE-2013-0169 (Lucky Thirteen): As above, applies to TLS 1.2 CBC implementations without timing mitigations.
• CVE-2016-2183 (Sweet32): As above, affects 64-bit ciphers still permitted in TLS 1.2.
• CVE-2011-3389 (BEAST): Partially mitigated in TLS 1.2 but exploitable if legacy CBC is enabled without protections.
Recommendations
• Disable TLS 1.0 entirely; migrate to TLS 1.3 for forward secrecy and reduced attack surface.
• For TLS 1.2, enforce strong ciphers (e.g., AES-GCM), disable compression, and apply patches.
• Use tools like Qualys SSL Labs or NVD searches for system-specific assessments.
These lists focus on protocol-level impacts; implementation bugs (e.g., in OpenSSL) may compound risks.