CVE-2024-0202

A security vulnerability has been identified in the cryptlib cryptographic library when cryptlib is compiled with the support for RSA key exchange ciphersuites in TLS (by setting the USE_RSA_SUITES define), it will be vulnerable to the timing variant of the Bleichenbacher attack. An attacker that is able to perform a large number of connections to the server will be able to decrypt RSA ciphertexts or forge signatures using server's certificate.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2256518	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cryptlib:cryptlib:*:*:*:*:*:*:*:*

History

13 Feb 2024, 18:31

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad de seguridad en la librería criptográfica cryptlib cuando cryptlib se compila con soporte para conjuntos de cifrado de intercambio de claves RSA en TLS (al configurar la definición USE_RSA_SUITES), será vulnerable a la variante de tiempo del ataque Bleichenbacher. Un atacante que pueda realizar una gran cantidad de conexiones al servidor podrá descifrar textos cifrados RSA o falsificar firmas utilizando el certificado del servidor.
CPE		cpe:2.3:a:cryptlib:cryptlib::::::::
First Time		Cryptlib cryptlib Cryptlib
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2256518 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2256518 - Issue Tracking, Third Party Advisory
CWE		CWE-203

05 Feb 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-05 21:15

Updated : 2024-02-13 18:31

NVD link : CVE-2024-0202

Mitre link : CVE-2024-0202

CVE.ORG link : CVE-2024-0202

JSON object : View

Products Affected

cryptlib

cryptlib

CWE

CWE-203

Observable Discrepancy

CWE-208

Observable Timing Discrepancy

{"id": "CVE-2024-0202", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "patrick@puiterwijk.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2024-02-05T21:15:11.450", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2256518", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "patrick@puiterwijk.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}, {"type": "Secondary", "source": "patrick@puiterwijk.org", "description": [{"lang": "en", "value": "CWE-208"}]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been identified in the cryptlib cryptographic library when cryptlib is compiled with the support for RSA key exchange ciphersuites in TLS (by setting the USE_RSA_SUITES define), it will be vulnerable to the timing variant of the Bleichenbacher attack. An attacker that is able to perform a large number of connections to the server will be able to decrypt RSA ciphertexts or forge signatures using server's certificate."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad de seguridad en la librer\u00eda criptogr\u00e1fica cryptlib cuando cryptlib se compila con soporte para conjuntos de cifrado de intercambio de claves RSA en TLS (al configurar la definici\u00f3n USE_RSA_SUITES), ser\u00e1 vulnerable a la variante de tiempo del ataque Bleichenbacher. Un atacante que pueda realizar una gran cantidad de conexiones al servidor podr\u00e1 descifrar textos cifrados RSA o falsificar firmas utilizando el certificado del servidor."}], "lastModified": "2024-02-13T18:31:03.300", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cryptlib:cryptlib:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F70EF56-2980-4A66-B182-7652F54631FC", "versionEndExcluding": "3.4.7"}], "operator": "OR"}]}], "sourceIdentifier": "patrick@puiterwijk.org"}