I recently went through a pentest from a 3rd party company on my React.js web app, hosting on Firebase Hosting (+ Authentication, Functions, and Storage) and one of the vulnerabilities pointed out by the pentest was Server Vulnerable to Lucky13 TLS Exploit. I tried to do some research on this vulnerability but looks like it is a bit of an older exploit that I am not sure is still relevant to modern apps. Does anyone have any insights on this vulnerability or if I should be worried or is it a false flag? Here are the details the pentest company provided:
Vulnerability Standard: NIST:
CWE ID: CWE-310
Description:
The web application seems to be vulnerable to the LUCKY13 attack.
LUCKY13 is a timing attack that can be used against servers
implementing some versions of the TLS protocol (1.1 and 1.2) that
support cipher suites that use cipher block chaining (CBC). It has the
potential to allow attackers to work out the contents of encrypted
communications between the client and server.
Recommendation:
Disable support for TLS cipher suites that use cipher block chaining
(CBC) mode.
References:
https://www.openssl.org/news/vulnerabilities.html https://
en.wikipedia.org/wiki/Lucky_Thirteen_attack
According to this article, the vulnerability mentioned should not be an issue.
Here is a video explaining the reason why this should not be an issue.