Covert Timing Channel in RSA BSAFE Micro Edition Suite

#VU21467 Covert Timing Channel in RSA BSAFE Micro Edition Suite

Published: 2019-10-01

Vulnerability identifier: #VU21467

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-11057

CWE-ID: CWE-385

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
RSA BSAFE Micro Edition Suite
Client/Desktop applications / Other client software

Vendor: Dell

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerabiity exists due to a covert timing channel vulnerability during RSA decryption, also known as a Bleichenbacher attack on RSA decryption. A remote attacker can recover a RSA key.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

RSA BSAFE Micro Edition Suite: 4.0.0 - 4.1.6

External links
http://seclists.org/fulldisclosure/2018/Aug/46
http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in RSA BSAFE Micro Edition Suite