CVE-2022-4304 Timing Oracle in RSA Decryption

2023-02-0819:04:28

openssl

www.cve.org

cve-2022-4304

timing oracle

rsa decryption

bleichenbacher style attack

openssl

network

side channel

plaintext

trial messages

vulnerability

padding modes

pkcs#1 v1.5

rsa-oeap

rsasve

tls connection

pre-master secret

server

application data

6.7 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.4%

JSON

A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an
encrypted pre-master secret to the server. An attacker that had observed a
genuine connection between a client and a server could use this flaw to send
trial messages to the server and record the time taken to process them. After a
sufficiently large number of messages the attacker could recover the pre-master
secret used for the original connection and thus be able to decrypt the
application data sent over that connection.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "OpenSSL",
    "vendor": "OpenSSL",
    "versions": [
      {
        "lessThan": "3.0.8",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "1.1.1t",
        "status": "affected",
        "version": "1.1.1",
        "versionType": "custom"
      },
      {
        "lessThan": "1.0.2zg",
        "status": "affected",
        "version": "1.0.2",
        "versionType": "custom"
      }
    ]
  }
]