CVE-2024-2236 — Covert Timing Channel in Paloalto Pan-os

CWE-385 — Covert Timing Channel CWE-208 — Observable Timing Discrepancy CWE-1240 — Use of a Cryptographic Primitive with a Risky Implementation CWE-414 — Missing Lock Check8 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

0.7%

top 26.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Paloalto Pan-os Debian Libgcrypt20

Timeline

PublishedMar 6

Latest updateMay 14

Description

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

▶debiandebian/libgcrypt20

▶Palo Altopaloalto/pan-os

🔴Vulnerability Details

GHSA

GHSA-w2gx-4fh8-wm9f: A timing-based side-channel flaw was found in libgcrypt's RSA implementation↗2024-03-07

▶

OSV

CVE-2024-2236: A timing-based side-channel flaw was found in libgcrypt's RSA implementation↗2024-03-06

▶

📋Vendor Advisories

Palo Alto

PAN-SA-2025-0010 Informational Bulletin: No Impact of the Marvin Attack on PAN-OS↗2025-05-14

▶

Red Hat

kernel: jfs: add check read-only before txBeginAnon() call↗2025-04-16

▶

Red Hat

libgcrypt: vulnerable to Marvin Attack↗2024-03-06

▶

Debian

CVE-2024-2236: libgcrypt20 - A timing-based side-channel flaw was found in libgcrypt's RSA implementation. Th...↗2024

▶