Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5.9
CVSSv3

CVE-2020-25657

Published: 12/01/2021 Updated: 12/02/2023
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Subscribe to M2crypto

Vulnerability Summary

A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v1.5 Ciphertext. The highest threat from this vulnerability is to confidentiality.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

m2crypto project m2crypto

redhat enterprise linux 7.0

redhat enterprise linux 6.0

redhat virtualization 4.0

fedoraproject fedora 33

Vendor Advisories

Debian CVElist Bug Report Logs: m2crypto: CVE-2020-25657: bleichenbacher timing attacks in the RSA decryption API
Debian Bug report logs - #975002 m2crypto: CVE-2020-25657: bleichenbacher timing attacks in the RSA decryption API Package: src:m2crypto; Maintainer for src:m2crypto is Sandro Tosi <morph@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 17 Nov 2020 20:09:02 UTC Severity: important Tags: s ...
Debian CVElist Bug Report Logs: m2crypto: CVE-2023-50781
Debian Bug report logs - #1059292 m2crypto: CVE-2023-50781 Package: src:m2crypto; Maintainer for src:m2crypto is Sandro Tosi <morph@debianorg>; Reported by: Moritz Mühlenhoff <jmm@inutilorg> Date: Fri, 22 Dec 2023 12:39:02 UTC Severity: important Tags: security, upstream Found in version m2crypto/0380-41 Fo ...
Arch Linux Issues:
A flaw was found in all released versions of m2crypto, where they are vulnerable to Bleichenbacher timing attacks in the RSA decryption API via the timed processing of valid PKCS#1 v15 Ciphertext ...

Recent Articles

ROBOT crypto attack on RSA is back as Marvin arrives
The Register

Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources More precise timing tests find many implementations vulnerable

An engineer has identified longstanding undetected flaws in a 25-year-old method for encrypting data using RSA public-key cryptography. In a paper titled, "Everlasting ROBOT: the Marvin Attack," Hubert Kario, senior quality engineer on the QE BaseOS Security team at Red Hat, shows that many software implementations of the PKCS#1 v1.5 padding scheme for RSA key exchange that were previously deemed immune to Daniel Bleichenbacher's widely known attack are, in fact, vulnerable. Back in 1998, Bleich...

Read more...

References

CWE-385https://bugzilla.redhat.com/show_bug.cgi?id=1889823https://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975002https://security.archlinux.org/CVE-2020-25657
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
deserializationCVE-2024-4040cross-site scriptingCVE-2023-25790CVE-2024-2961XML external entityCVE-2024-26926CVE-2024-32806CVE-2024-32711
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook