Hubert Kario

**Name of the Vulnerable Software and Affected Versions** iPerf3 versions prior to 3.17 OpenSSL versions prior to 3.2.0 **Description** The issue is related to a timing side channel in RSA decryption operations when iPerf3 is used as a server with RSA authentication and OpenSSL. This could allow a remote attacker to recover credential plaintext by sending a large number of messages for decryption, as described in the "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. **Recommendations** For iPerf3 versions prior to 3.17, update to version 3.17 or later to resolve the issue. For OpenSSL versions prior to 3.2.0, update to version 3.2.0 or later to resolve the issue. As a temporary workaround, consider disabling RSA authentication in iPerf3 until a patch is available. Restrict access to the server with RSA authentication to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: perl-Crypt-OpenSSL-RSA (affected versions not specified) Description: A timing-based side-channel flaw exists in the perl-Crypt-OpenSSL-RSA package, which could be sufficient to recover plaintext across a network in a Bleichenbacher-style attack. To achieve successful decryption, an attacker would have to be able to send a large number of trial messages. The vulnerability affects the legacy PKCS#1v1.5 RSA encryption padding mode. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** wolfSSL versions prior to 3.6.6 **Description** The issue is related to the wolfSSL SP Math All RSA implementation being vulnerable to the Marvin Attack, a new variation of a timing Bleichenbacher style attack. This vulnerability is specific to static RSA cipher suites, which are not recommended and have been disabled by default since wolfSSL 3.6.6. The vulnerability allows an attacker to decrypt ciphertexts and forge signatures after probing with a large number of test observations. However, the server’s private key is not exposed. **Recommendations** For versions prior to 3.6.6, consider disabling the static RSA cipher suites by removing the `WOLFSSL STATIC RSA` define or updating to a version where this is disabled by default, such as wolfSSL 3.6.6 or later. As a temporary workaround, consider restricting the use of static RSA cipher suites until a patch is available.

**Name of the Vulnerable Software and Affected Versions** cryptlib (affected versions not specified) **Description** A security issue has been identified in the cryptlib cryptographic library when it is compiled with support for RSA key exchange ciphersuites in TLS. This makes it vulnerable to the timing variant of the Bleichenbacher attack. An attacker who can establish a large number of connections to the server can decrypt RSA ciphertexts or forge signatures using the server's certificate. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Oracle Java SE versions 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1 Oracle GraalVM for JDK versions 17.0.9, 21.0.1 Oracle GraalVM Enterprise Edition versions 20.3.12, 21.3.8, 22.3.4 **Description** A difficult to exploit vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products allows an unauthenticated attacker with network access via multiple protocols to compromise these systems. Successful attacks can result in unauthorized creation, deletion, or modification access to critical data or all accessible data, as well as unauthorized access to critical data or complete access to all accessible data. This vulnerability applies to Java deployments that load and run untrusted code and rely on the Java sandbox for security, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets. **Recommendations** For Oracle Java SE versions 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1, update to a newer version that contains a fix for this vulnerability. For Oracle GraalVM for JDK versions 17.0.9, 21.0.1, update to a newer version that contains a fix for this vulnerability. For Oracle GraalVM Enterprise Edition versions 20.3.12, 21.3.8, 22.3.4, update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the Java sandbox and limiting the execution of untrusted code until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GnuTLS (affected versions not specified) **Description** The issue is related to a difference in response time when handling RSA ciphertext in ClientKeyExchange messages with correct and incorrect PKCS#1 padding. This could allow a remote attacker to gain unauthorized access to protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mbed TLS versions 2.x before 2.28.7 Mbed TLS versions 3.x before 3.5.2 **Description** A timing side channel in RSA private operations could allow a local attacker to recover the plaintext by sending a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. This side channel could be exploited by a remote attacker to gain access to confidential information. **Recommendations** For Mbed TLS versions 2.x before 2.28.7, update to version 2.28.7 or later to resolve the issue. For Mbed TLS versions 3.x before 3.5.2, update to version 3.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to RSA private operations until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PyCryptodome and pycryptodomex versions prior to 3.19.1 **Description** The issue is related to side-channel leakage for OAEP decryption, which can be exploited for a Manger attack. This allows a remote attacker to gain unauthorized access to protected information due to information disclosure through inconsistency. **Recommendations** For versions prior to 3.19.1, update to version 3.19.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of OAEP decryption in PyCryptodome and pycryptodomex until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 8.1.29 PHP versions prior to 8.2.20 PHP versions prior to 8.3.8 **Description** The issue is related to the `openssl private decrypt` function in PHP when using PKCS1 padding, which is the default. This makes PHP vulnerable to the Marvin Attack unless used with an OpenSSL version that includes specific changes. The changes are part of OpenSSL 3.2 and have been backported to stable versions of various Linux distributions and PHP builds for Windows. **Recommendations** For PHP versions prior to 8.1.29, update to version 8.1.29 or later to include OpenSSL patches that fix the vulnerability. For PHP versions prior to 8.2.20, update to version 8.2.20 or later to include OpenSSL patches that fix the vulnerability. For PHP versions prior to 8.3.8, update to version 8.3.8 or later to include OpenSSL patches that fix the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mozilla Firefox versions prior to 121 **Description** The issue is related to a side-channel attack known as "Minerva" that affects multiple NSS NIST curves, potentially allowing an attacker to recover the private key. This could lead to the disclosure of confidential information. The attack can be exploited by a remote attacker. **Recommendations** For versions prior to 121, update to version 121 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive information until the update is applied.

**Name of the Vulnerable Software and Affected Versions** m2crypto (affected versions not specified) **Description** A flaw was found in m2crypto, which may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges. This could lead to the exposure of confidential or sensitive data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** python-cryptography (affected versions not specified) **Description** A flaw was found in the python-cryptography package, which may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges. This could lead to exposure of confidential or sensitive data. The issue is related to an uncontrolled consumption of resources in the RSA Key Exchange Handler component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSC (affected versions not specified) **Description** A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant, potentially resulting in the leak of private data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** jsrsasign versions prior to 11.0.0 **Description** The issue is related to an Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process in the jsrsasign package. An attacker can decrypt ciphertexts by exploiting this flaw, which is also known as the Marvin security flaw. Exploiting this issue requires the attacker to have access to a large number of ciphertexts encrypted with the same key. This vulnerability can be exploited to perform a Bleichenbacher or Marvin attack. **Recommendations** For jsrsasign versions prior to 11.0.0, update to jsrsasign 11.0.0 to resolve the issue. As a temporary workaround, consider finding and replacing RSA and RSAOAEP decryption with another crypto library until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Network Security Services (NSS) versions prior to the fixed version Firefox versions prior to 124 Firefox ESR versions prior to 115.9 Thunderbird versions prior to 115.9 **Description** The issue is related to the implementation of PKCS#1 v1.5, OAEP, and RSASVP standards in the NSS library, which lacks sufficient protection of service data due to a timing discrepancy. This allows a remote attacker to perform a Bleichenbacher or Marvin attack, potentially recovering private data. The vulnerability is also described as a timing side-channel attack when performing RSA decryption. **Recommendations** For NSS, update to a version that includes the fix for this issue. For Firefox versions prior to 124, update to version 124 or later. For Firefox ESR versions prior to 115.9, update to version 115.9 or later. For Thunderbird versions prior to 115.9, update to version 115.9 or later. As a temporary workaround, consider restricting the use of RSA decryption in the affected software until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Network Security Services (NSS) versions prior to 3.61 **Description** The issue is related to the implementation of the PKCS#1 v1.5 standard in the NSS library, which was leaking information useful for mounting Bleichenbacher-like attacks through timing side-channel. This allowed an attacker to decrypt a previously intercepted PKCS#1 v1.5 ciphertext or forge a signature using the victim's key by sending a large number of attacker-selected ciphertexts. The problem was fixed by implementing the implicit rejection algorithm. **Recommendations** For versions prior to 3.61, update to version 3.61 or later to resolve the issue. As a temporary workaround, consider implementing the implicit rejection algorithm to return a deterministic random message in case invalid padding is detected. Restrict access to the PKCS#1 v1.5 functionality to minimize the risk of exploitation until the update is applied.

**Name of the Vulnerable Software and Affected Versions** GnuTLS (affected versions not specified) **Description** A timing side-channel in the handling of RSA ClientKeyExchange messages was discovered in GnuTLS. This side-channel can be sufficient to recover the key encrypted in the RSA ciphertext across a network in a Bleichenbacher style attack. To achieve a successful decryption, the attacker would need to send a large amount of specially crafted messages to the vulnerable server. By recovering the secret from the ClientKeyExchange message, the attacker would be able to decrypt the application data exchanged over that connection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenSSL (affected versions not specified) **Description** A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. This occurs when the hash algorithm used for the signature is known to the OpenSSL library, but the implementation of the hash algorithm is not available, causing the digest initialization to fail. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions; however, third-party applications would be affected if they call these functions to verify signatures on untrusted data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mbed TLS versions prior to 2.28.1 Mbed TLS versions 3.x prior to 3.2.0 **Description** An issue was discovered in Mbed TLS where an unauthenticated attacker can send an invalid ClientHello message to a DTLS server, causing a heap-based buffer over-read of up to 255 bytes. This can cause a server crash or possibly information disclosure based on error responses. Affected configurations have `MBEDTLS SSL DTLS CLIENT PORT REUSE` enabled and `MBEDTLS SSL IN CONTENT LEN` less than a threshold that depends on the configuration. **Recommendations** For Mbed TLS versions prior to 2.28.1, update to version 2.28.1 or later. For Mbed TLS versions 3.x prior to 3.2.0, update to version 3.2.0 or later. As a temporary workaround, consider disabling the `MBEDTLS SSL DTLS CLIENT PORT REUSE` feature until a patch is available. Restrict access to the DTLS server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Mbed TLS version 2.24.0 **Description** A side-channel vulnerability in base64 PEM file decoding exists, allowing system-level attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments. This issue is related to the use of base64 decoding functionality with non-constant execution time, which can be exploited by a remote attacker to access confidential data. **Recommendations** For Mbed TLS version 2.24.0, consider disabling the base64 PEM file decoding functionality as a temporary workaround until a patch is available. Restrict access to sensitive data and confidential information to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.