PT-2024-4043 · Openssl+9 · Openssl+9

Hubert Kario

Published

2024-05-13

Updated

2026-01-21

CVE-2024-26306

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions iPerf3 versions prior to 3.17 OpenSSL versions prior to 3.2.0

Description The issue is related to a timing side channel in RSA decryption operations when iPerf3 is used as a server with RSA authentication and OpenSSL. This could allow a remote attacker to recover credential plaintext by sending a large number of messages for decryption, as described in the "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

Recommendations For iPerf3 versions prior to 3.17, update to version 3.17 or later to resolve the issue. For OpenSSL versions prior to 3.2.0, update to version 3.2.0 or later to resolve the issue. As a temporary workaround, consider disabling RSA authentication in iPerf3 until a patch is available. Restrict access to the server with RSA authentication to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310CWE-385

Related Identifiers

ALSA-2024:4241

ALSA-2024:9185

AZL-40537

AZL-40658

BDU:2024-04484

CESA-2024_4241

CVE-2024-26306

DLA-4032-1

INFSA-2024_4241

INFSA-2024_9185

MGASA-2024-0226

OESA-2024-1604

OESA-2024-1639

OESA-2024-1640

OESA-2024-1729

OPENSUSE-SU-2024:13964-1

RHSA-2024:4241

RHSA-2024:9185

RHSA-2024_4241

RHSA-2024_9185

RLSA-2024:9185

SUSE-SU-2024:1981-1

USN-7970-1

Affected Products

Almalinux

Centos

Debian

Linuxmint

Openssl

Red Hat

Red Os

Rocky Linux

Ubuntu

Iperf3

PT-2024-4043 · Openssl+9 · Openssl+9

CVE-2024-26306

Weakness Enumeration

Related Identifiers

Affected Products

References · 64