#VU21462 Information Exposure Through Timing Discrepancy in RSA BSAFE Micro Edition Suite and RSA BSAFE Crypto-C
Vulnerability identifier: #VU21462
Vulnerability risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-208
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
RSA BSAFE Micro Edition Suite
Client/Desktop applications /
Other client software
RSA BSAFE Crypto-C
Server applications /
Encryption software
Vendor: Dell
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product. A remote attacker can extract information leaving data at risk of exposure.This vulnerability affects the following versions:
- RSA BSAFE Crypto-C Micro Edition - versions prior to 4.0.5.3 (in 4.0.x) and prior to 4.1.3.3 (in 4.1.x)
- RSA BSAFE Micro Edition Suite - versions prior to 4.0.11 (in 4.0.x), prior to 4.1.6.1 (in 4.1.x) and versions prior to 4.3.3 (4.2.x and 4.3.x)
Mitigation
Install updates from vendor's website.
Vulnerable software versions
RSA BSAFE Micro Edition Suite: All versions
RSA BSAFE Crypto-C: All versions
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
