CVE-2023-5388: NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private…

CVE-2024-29995 [MEDIUM] CWE-1240 PAN-SA-2025-0010 Informational Bulletin: No Impact of the Marvin Attack on PAN-OS PAN-SA-2025-0010 Informational Bulletin: No Impact of the Marvin Attack on PAN-OS The Palo Alto Networks Product Security Assurance team has evaluated the applicability of CVEs related to the Marvin attack on PAN-OS. While we did not determine that any of these CVEs have significant impact on our PAN-OS software, some were fixed anyway out of an abundance of caution. You can also review more details about the Marvin attack if helpful. CVE Summary CVE-2024-29995 This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable opensc library. CVE-2024-26306 This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable iperf3 component. CVE-2024-23170 This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable Mbed TLS component. CVE-2024-21484 This CVE does not aff

CVE-2023-5388 [MEDIUM] Oracle Oracle Communications Applications Risk Matrix: Security (NSS) — CVE-2023-5388 Oracle Oracle Communications Applications Risk Matrix: Security (NSS) vulnerability CVE: CVE-2023-5388 CVSS: 6.5 Protocol: HTTPS Remote exploit: Yes Affected versions: Network Advisory: cpuapr2025 (APR 2025)

[MEDIUM] NSS regression Title: NSS regression Summary: USN-6727-1 introduced a regression in NSS. USN-6727-1 fixed vulnerabilities in NSS. The update introduced a regression when trying to load security modules on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that NSS incorrectly handled padding when checking PKCS#1 certificates. A remote attacker could possibly use this issue to perform Bleichenbacher-like attacks and recover private data. This issue only affected Ubuntu 20.04 LTS. (CVE-2023-4421) It was discovered that NSS had a timing side-channel when performing RSA decryption. A remote attacker could possibly use this issue to recover private data. (CVE-2023-5388) It was discovered that NSS had a t

CVE-2023-5388 [MEDIUM] NSS vulnerabilities Title: NSS vulnerabilities Summary: Several security issues were fixed in NSS. It was discovered that NSS incorrectly handled padding when checking PKCS#1 certificates. A remote attacker could possibly use this issue to perform Bleichenbacher-like attacks and recover private data. This issue only affected Ubuntu 20.04 LTS. (CVE-2023-4421) It was discovered that NSS had a timing side-channel when performing RSA decryption. A remote attacker could possibly use this issue to recover private data. (CVE-2023-5388) It was discovered that NSS had a timing side-channel when using certain NIST curves. A remote attacker could possibly use this issue to recover private data. (CVE-2023-6135) The NSS package contained outdated CA certificates. This update refreshes the NSS package to version 3.98

CVE-2024-2610 [MEDIUM] Thunderbird vulnerabilities Title: Thunderbird vulnerabilities Summary: Several security issues were fixed in Thunderbird. Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2024-0743, CVE-2024-2611, CVE-2024-2614) Hubert Kario discovered that Thunderbird had a timing side-channel when performing RSA decryption. A remote attacker could possibly use this issue to recover sensitive information. (CVE-2023-5388) Gary Kwong discovered that Thunderbird incorrectly updated return registers for JIT code on Armv7-A systems. An attacker could potent

CVE-2024-2610 [MEDIUM] Firefox vulnerabilities Title: Firefox vulnerabilities Summary: Several security issues were fixed in Firefox. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-2609, CVE-2024-2611, CVE-2024-2614, CVE-2024-2615) Hubert Kario discovered that Firefox had a timing side-channel when performing RSA decryption. A remote attacker could possibly use this issue to recover sensitive information. (CVE-2023-5388) It was discovered that Firefox did not properly handle WASM register values in some circumstances. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-260

CVE-2023-5388 [MEDIUM] CWE-208 nss: timing attack against RSA decryption nss: timing attack against RSA decryption NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. It was discovered that the numerical library used in NSS for RSA cryptography leaks information whether high order bits of the RSA decryption result are zero. This information can be used to mount a Bleichenbacher or Manger like attack against all RSA decryption operations. As the leak happens before any padding operations, it affects all padding modes: PKCS#1 v1.5, OAEP, and RSASVP. Both API level calls and TLS server operation are affected. Package: firefox (Red Hat Enterprise Linux 6) - Out of supp

CVE-2023-5388 [MEDIUM] CVE-2023-5388: firefox - NSS was susceptible to a timing side-channel attack when performing RSA decrypti... NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Scope: local sid: resolved (fixed in 124.0-1)

CVE-2023-5388 [MEDIUM] Mozilla Foundation Security Advisory 2024-12: CVE-2023-5388 Mozilla Foundation Security Advisory 2024-12 CVE: CVE-2023-5388 Product: Firefox Impact: critical Fixed in: Firefox 124

CVE-2023-5388 [MEDIUM] Mozilla Foundation Security Advisory 2024-14: CVE-2023-5388 Mozilla Foundation Security Advisory 2024-14 CVE: CVE-2023-5388 Product: Thunderbird Impact: high Fixed in: Thunderbird 115.9

CVE-2023-5388 [MEDIUM] Mozilla Foundation Security Advisory 2024-13: CVE-2023-5388 Mozilla Foundation Security Advisory 2024-13 CVE: CVE-2023-5388 Product: Firefox ESR Impact: high Fixed in: Firefox ESR 115.9

[MEDIUM] nss regression nss regression USN-6727-1 fixed vulnerabilities in NSS. The update introduced a regression when trying to load security modules on Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that NSS incorrectly handled padding when checking PKCS#1 certificates. A remote attacker could possibly use this issue to perform Bleichenbacher-like attacks and recover private data. This issue only affected Ubuntu 20.04 LTS. (CVE-2023-4421) It was discovered that NSS had a timing side-channel when performing RSA decryption. A remote attacker could possibly use this issue to recover private data. (CVE-2023-5388) It was discovered that NSS had a timing side-channel when using certain NIST curves. A remote

CVE-2023-4421 [MEDIUM] nss vulnerabilities nss vulnerabilities It was discovered that NSS incorrectly handled padding when checking PKCS#1 certificates. A remote attacker could possibly use this issue to perform Bleichenbacher-like attacks and recover private data. This issue only affected Ubuntu 20.04 LTS. (CVE-2023-4421) It was discovered that NSS had a timing side-channel when performing RSA decryption. A remote attacker could possibly use this issue to recover private data. (CVE-2023-5388) It was discovered that NSS had a timing side-channel when using certain NIST curves. A remote attacker could possibly use this issue to recover private data. (CVE-2023-6135) The NSS package contained outdated CA certificates. This update refreshes the NSS package to version 3.98 which includes the latest CA certificate bundle and other se

CVE-2024-0743 [MEDIUM] thunderbird vulnerabilities thunderbird vulnerabilities Multiple security issues were discovered in Thunderbird. If a user were tricked into opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass security restrictions, cross-site tracing, or execute arbitrary code. (CVE-2024-0743, CVE-2024-2611, CVE-2024-2614) Hubert Kario discovered that Thunderbird had a timing side-channel when performing RSA decryption. A remote attacker could possibly use this issue to recover sensitive information. (CVE-2023-5388) Gary Kwong discovered that Thunderbird incorrectly updated return registers for JIT code on Armv7-A systems. An attacker could potentially exploit this issue to execute arbitrary code. (CVE-2024-2607)

CVE-2024-2609 [MEDIUM] firefox vulnerabilities firefox vulnerabilities Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code. (CVE-2024-2609, CVE-2024-2611, CVE-2024-2614, CVE-2024-2615) Hubert Kario discovered that Firefox had a timing side-channel when performing RSA decryption. A remote attacker could possibly use this issue to recover sensitive information. (CVE-2023-5388) It was discovered that Firefox did not properly handle WASM register values in some circumstances. An attacker could potentially exploit this issue to cause a denial of service. (CVE-2024-2606) Gary Kwong discovered that Firefox incorrectly updated retur

CVE-2023-5388 [MEDIUM] CVE-2023-5388: NSS was susceptible to a timing side-channel attack when performing RSA decryption NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

CVE-2023-5388 [MEDIUM] CWE-203 GHSA-g2hf-9hjx-2rxj: NSS was susceptible to a timing side-channel attack when performing RSA decryption NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

Timing attack against RSA decryption (in TLS) Timing attack against RSA decryption (in TLS) I've been working on testing against timing attacks using tlsfuzzer, the newest version of that code is in the upstream pregenerate branch[1]. What's special about it, is that it is much more sensitive to timing side-channels than both my previous attempts at it, from bug 1651411, and what the published research suggests. In particular, I'm able to detect the OpenSSL side-channel caused by the https://github.com/openssl/openssl/issues/6640 bug in just 10 thousand connections with 2048 bit RSA keys, over local gigabit Ethernet: the measured side channel is about 55ns while the test provides a result with a 95% confidence interval of ±36ns. I haven't executed extensive tests against NSS, so I don't have good results with NSS just yet, but I've