Test ID:	1.3.6.1.4.1.25623.1.1.10.2020.0315
Category:	Mageia Linux Local Security Checks
Title:	Mageia: Security Advisory (MGASA-2020-0315)
Summary:	The remote host is missing an update for the 'mumble' package(s) announced via the MGASA-2020-0315 advisory.
Description:	Summary: The remote host is missing an update for the 'mumble' package(s) announced via the MGASA-2020-0315 advisory. Vulnerability Insight: Updated mumble package fixes security vulnerability: OCB2 is known to be broken under certain conditions: [link moved to references] To execute the universal attacks described in the paper, an attacker needs access to an encryption oracle that allows it to perform encryption queries with attacker-chosen nonce. Luckily in Mumble the encryption nonce is a fixed counter which is far too restrictive for the universal attacks to be feasible against Mumble. The basic attacks do not require an attacker-chosen nonce and as such are more applicable to Mumble. They are however of limited use and do require an en- and a decryption oracle which Mumble seemingly does not provide at the same time. To be on the safe side, this commit implements the counter-cryptanalysis measure described in the paper in section 9 for the sender and receiver side. This way if either server of client are patched, their communication is almost certainly (merely lacking formal proof) not susceptible to the attacks described in the paper. Fixed: Potential exploit in the OCB2 encryption (#4227) Affected Software/OS: 'mumble' package(s) on Mageia 7. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Copyright	Copyright (C) 2022 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.