openEuler update for m2crypto



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-25657
CWE-ID CWE-208
Exploitation vector Network
Public exploit N/A
Vulnerable software
 openEuler
Operating systems & Components / Operating system

m2crypto-debugsource
Operating systems & Components / Operating system package or component

python3-m2crypto
Operating systems & Components / Operating system package or component

m2crypto-debuginfo
Operating systems & Components / Operating system package or component

m2crypto
Operating systems & Components / Operating system package or component

Vendor openEuler

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Information Exposure Through Timing Discrepancy

EUVDB-ID: #VU65771

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-25657

CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to possibility of the Bleichenbacher timing attack in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. A remote attacker can gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 22.03 LTS

m2crypto-debugsource: before 0.30.1-5

python3-m2crypto: before 0.30.1-5

m2crypto-debuginfo: before 0.30.1-5

m2crypto: before 0.30.1-5

CPE2.3 External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2022-1852


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###