Eyal Ronen

**Name of the Vulnerable Software and Affected Versions** Windows (affected versions not specified) **Description** The issue is related to the implementation of the Kerberos protocol in Windows, which can be manipulated to cause a timing mismatch vulnerability. This can allow a remote attacker to elevate their privileges. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSC (affected versions not specified) **Description** A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant, potentially resulting in the leak of private data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: keymaster versions prior to SMR Oct-2021 Release 1 Description: A keyblob downgrade attack in keymaster allows an attacker to trigger an IV reuse issue with a privileged process. Recommendations: For versions prior to SMR Oct-2021 Release 1, update to SMR Oct-2021 Release 1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 94.0.4606.54 **Description** The issue is related to side-channel information leakage in DevTools, allowing a remote attacker to bypass site isolation via a crafted HTML page. This is due to errors in data encryption. The attacker can exploit this issue to bypass existing security restrictions. **Recommendations** For versions prior to 94.0.4606.54, update to version 94.0.4606.54 or later to resolve the issue. As a temporary workaround, consider restricting access to DevTools or avoiding the use of crafted HTML pages that could exploit this issue.

**Name of the Vulnerable Software and Affected Versions** Android Keystore versions prior to SMR AUG-2021 Release 1 **Description** The issue is related to an IV reuse vulnerability in the keymaster, which allows decryption of custom keyblobs with privileged processes. This vulnerability is associated with insufficient input validation in the Android Keystore system on Samsung Galaxy devices. The exploitation of this vulnerability may enable an attacker to bypass protection and extract private keys from a secure environment. **Recommendations** For versions prior to SMR AUG-2021 Release 1, consider disabling the keymaster function temporarily until a patch is available. Restrict access to the vulnerable keymaster module to minimize the risk of exploitation. Avoid using the affected keyblob in the keymaster until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Philips Hue Bridge model 2.X prior to and including version 1935144020 **Description** The issue is related to a Heap-based Buffer Overflow that occurs when handling a long ZCL string during the commissioning phase, resulting in remote code execution. This can be exploited using a malicious ZigBee lightbulb to infiltrate a home IoT network. The flaw could allow remote attackers to gain access to the entire WiFi network over-the-air without cracking the password and launch further attacks against other devices connected to the same network. **Recommendations** For Philips Hue Bridge model 2.X prior to and including version 1935144020, update to a version later than 1935144020 to resolve the issue. As a temporary workaround, consider restricting access to the commissioning phase to minimize the risk of exploitation. Avoid using the vulnerable Philips Hue Bridge until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** FreeRADIUS versions 3.0 through 3.0.19 **Description** The issue is related to errors in EAP-pwd authentication, which can lead to information leakage. This leakage is similar to the "Dragonblood" attack and can be used by an attacker to recover the password of any user. On average, 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. An attacker can exploit this vulnerability to obtain a password for authorization in a Wi-Fi network. **Recommendations** For FreeRADIUS versions 3.0 through 3.0.19, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FreeRADIUS versions prior to 3.0.19 **Description** The issue is related to improper authentication in the FreeRADIUS server, which can be exploited by a remote attacker to gain unauthorized access to protected information. This is similar to a "Dragonblood" issue, where reflection can be used for authentication spoofing. **Recommendations** For versions prior to 3.0.19, update to version 3.0.19 or later to resolve the issue. As a temporary workaround, consider restricting access to the RADIUS server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Network Security Services (NSS) versions prior to 3.41 **Description** A cached side channel attack during handshakes using RSA encryption could allow for the decryption of encrypted content. This issue is related to errors in cryptographic transformations and can be exploited to gain unauthorized access to protected information. The attack is a variant of the Adaptive Chosen Ciphertext attack, also known as the Bleichenbacher attack. It may also involve downgrading the used TLS protocol version, allowing an attacker to access protected information using a side channel. **Recommendations** For NSS versions prior to 3.41, update to version 3.41 or later to resolve the issue. As a temporary workaround, consider restricting the use of RSA encryption for handshakes until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GnuTLS (affected versions not specified) **Description** A cache-based side channel in the GnuTLS implementation allows for plain text recovery in a cross-VM attack setting. An attacker can use a combination of "Just in Time" Prime+probe attack and Lucky-13 attack with crafted packets to recover plain text. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GnuTLS (affected versions not specified) Description: The issue is related to the GnuTLS implementation of HMAC-SHA-384, which is vulnerable to a Lucky thirteen style attack. This allows remote attackers to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets. The vulnerability is due to errors in the implementation of the cryptographic algorithm, enabling an attacker to exploit it and perform attacks such as plain text recovery. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GnuTLS (affected versions not specified) Description: The issue is related to the GnuTLS implementation of HMAC-SHA-256, which is vulnerable to a Lucky thirteen style attack. Remote attackers could exploit this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets. The vulnerability is associated with errors in the implementation of the cryptographic algorithm, allowing an attacker to exploit it and perform attacks such as plaintext-recovery attacks using specially crafted packets. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mbed TLS versions prior to 2.14.1 Mbed TLS versions prior to 2.7.8 Mbed TLS versions prior to 2.1.17 **Description** The issue is related to a local synchronization problem during RSA decryption in Mbed TLS, allowing a local unprivileged attacker to recover the plaintext of RSA decryption. This affects RSA-without-(EC)DH(E) cipher suites. The vulnerability can be exploited to gain access to protected information. **Recommendations** For versions prior to 2.14.1, update to version 2.14.1 or later. For versions prior to 2.7.8, update to version 2.7.8 or later. For versions prior to 2.1.17, update to version 2.1.17 or later.