Timing Attack Affecting cryptography package, versions [,3.2)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-CRYPTOGRAPHY-1022152
- published 27 Oct 2020
- disclosed 25 Oct 2020
- credit Hubert Kario
Introduced: 25 Oct 2020
CVE-2020-25659 Open this link in a new tabHow to fix?
Upgrade cryptography to version 3.2 or higher.
Overview
Affected versions of this package are vulnerable to Timing Attack. It is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext (Marvin).
Notes:
Version 3.2 of this package contains an incomplete fix, which might help reduce the chances of this vulnerability being exploited. We recommend updating to version 42.0.0 for the complete fix, as advised in the advisory for CVE-2023-50782.
This vulnerability presents a moderate severity concern due to its specific impact on applications utilizing RSA decryption with PKCS#1 v1.5 padding. While the vulnerability could potentially lead to leakage in RSA decryption operations, its severity is downgraded to medium by several factors. Firstly, the exploitability of the vulnerability is limited to scenarios where RSA decryption with PKCS#1 v1.5 padding is employed, narrowing the scope of affected systems. Additionally, the implementation of implicit rejection, such as the Marvin workaround, provides a viable mitigation strategy.