CVE-2024-0914Observable Discrepancy in Project Opencryptoki

CWE-203Observable DiscrepancyCWE-385Covert Timing Channel9 documents8 sources
Severity
5.9MEDIUMNVD
EPSS
0.2%
top 54.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Opencryptoki Project OpencryptokiRedhat Enterprise Linux
Timeline
PublishedJan 31

Description

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

Debianopencryptoki_project/opencryptoki< 3.23.0+dfsg-0.1+1

Also affects: Enterprise Linux 8.0, 9.0

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

3
CVEList
Opencryptoki: timing side-channel in handling of rsa pkcs#1 v1.5 padded ciphertexts (marvin)2024-01-31
OSV
CVE-2024-0914: A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v12024-01-31
GHSA
GHSA-qghg-5fph-q28c: A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v12024-01-31

📋Vendor Advisories

3
Red Hat
opencryptoki: timing side-channel in handling of RSA PKCS#1 v1.5 padded ciphertexts (Marvin)2024-01-25
Microsoft
Opencryptoki: timing side-channel in handling of rsa pkcs#1 v1.5 padded ciphertexts (marvin)2024-01-09
Debian
CVE-2024-0914: opencryptoki - A timing side-channel vulnerability has been discovered in the opencryptoki pack...2024
CVE-2024-0914 — Observable Discrepancy | cvebase