CVE-2024-0914

2024-01-3105:15:08

Debian Security Bug Tracker

security-tracker.debian.org

opencryptoki

rsa

pkcs#1

decryption

vulnerability

timing

side-channel

unix

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

5.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.7%

JSON

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key.

OSVersionArchitecturePackageVersionFilename
Debian12allopencryptoki<= 3.8.1+dfsg-3.2opencryptoki_3.8.1+dfsg-3.2_all.deb
Debian11allopencryptoki<= 3.8.1+dfsg-3.2opencryptoki_3.8.1+dfsg-3.2_all.deb
Debian10allopencryptoki<= 3.8.1+dfsg-3.1opencryptoki_3.8.1+dfsg-3.1_all.deb
Debian999allopencryptoki< 3.23.0+dfsg-0.1opencryptoki_3.23.0+dfsg-0.1_all.deb
Debian13allopencryptoki<= 3.8.1+dfsg-3.2opencryptoki_3.8.1+dfsg-3.2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	opencryptoki	<= 3.8.1+dfsg-3.2	opencryptoki_3.8.1+dfsg-3.2_all.deb
Debian	11	all	opencryptoki	<= 3.8.1+dfsg-3.2	opencryptoki_3.8.1+dfsg-3.2_all.deb
Debian	10	all	opencryptoki	<= 3.8.1+dfsg-3.1	opencryptoki_3.8.1+dfsg-3.1_all.deb
Debian	999	all	opencryptoki	< 3.23.0+dfsg-0.1	opencryptoki_3.23.0+dfsg-0.1_all.deb
Debian	13	all	opencryptoki	<= 3.8.1+dfsg-3.2	opencryptoki_3.8.1+dfsg-3.2_all.deb