Covert Timing Channel in python-cryptography

#VU50367 Covert Timing Channel in python-cryptography

Published: 2021-01-11 | Updated: 2021-02-04

Vulnerability identifier: #VU50367

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25659

CWE-ID: CWE-385

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
python-cryptography
Universal components / Libraries / Programming Languages & Components

Vendor: Python Cryptographic Authority

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Mitigation
Install update from vendor's website.

Vulnerable software versions

python-cryptography: 3.2

External links
http://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Juniper Networks Junos cRPD

Multiple vulnerabilities in Juniper Cloud Native Router

Multiple vulnerabilities in IBM QRadar SIEM

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management

Fedora EPEL 7 update for openssl11

Multiple vulnerabilities in Dell PowerScale OneFS

SUSE update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, pyt

SUSE update for python-cryptography, python-cryptography-vectors

Multiple vulnerabilities in IBM Spectrum Discover