Pen-test Finding: TLS/DTLS ‘Lucky 13’ vulnerability

Question

Pen-test Finding: TLS/DTLS ‘Lucky 13’ vulnerability

Closed this issue 2 months ago · 2 comments

Lucky13 is a cryptographic side-channel attack against the encryption algorithms in TLS using
cipher block chaining mode, affecting TLS 1.1 and 1.2 and some earlier versions. It is so
named due to the 13 bytes of the TLS MAC header data which are in part the cause of its
vulnerability. Successful exploitation yields full plaintext for OpenSSL TLS encrypted
messages, allowing an attacker to read the full message, including session information. This
attack is similar to other Padding Oracle attacks but is more complex and requires a large
amount of data.

Answer 1 · 2021-09-23T17:04:41.000Z

can't fix. Handled by AWS load balancers

Answer 2 · 2024-07-24T17:52:36.000Z

This is a false-positive, per cloud.gov docs and ISSO concurrence.