CVE-2022-4304

08.02.2023, 20:15

A timing based side channel exists in the OpenSSL RSA Decryption implementation
which could be sufficient to recover a plaintext across a network in a
Bleichenbacher style attack. To achieve a successful decryption an attacker
would have to be able to send a very large number of trial messages for
decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,
RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an
encrypted pre-master secret to the server. An attacker that had observed a
genuine connection between a client and a server could use this flaw to send
trial messages to the server and record the time taken to process them. After a
sufficiently large number of messages the attacker could recover the pre-master
secret used for the original connection and thus be able to decrypt the
application data sent over that connection.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
openssl	CNA	---				---
CVE	ADP	---				---
CISA-ADP	ADP	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Vendor	Product	Version
openssl	openssl	1.0.2 ≤ 𝑥 < 1.0.2zg
openssl	openssl	1.1.1 ≤ 𝑥 < 1.1.1t
openssl	openssl	3.0.0 ≤ 𝑥 < 3.0.8
stormshield	endpoint_security	𝑥 < 7.2.40
stormshield	sslvpn	𝑥 < 3.2.1
stormshield	stormshield_network_security	2.7.0 ≤ 𝑥 < 2.7.11
stormshield	stormshield_network_security	2.8.0 ≤ 𝑥 < 3.7.34
stormshield	stormshield_network_security	3.8.0 ≤ 𝑥 < 3.11.22
stormshield	stormshield_network_security	4.0.0 ≤ 𝑥 < 4.3.16
stormshield	stormshield_network_security	4.4.0 ≤ 𝑥 < 4.6.3

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

openssl

bullseye	1.1.1w-0+deb11u1 fixed
bullseye (security)	1.1.1w-0+deb11u2 fixed
bookworm	3.0.14-1~deb12u1 fixed
bookworm (security)	3.0.14-1~deb12u2 fixed
sid	3.3.2-2 fixed
trixie	3.3.2-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

edk2

noble	not-affected
mantic	not-affected
lunar	ignored
kinetic	ignored
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	ignored

nodejs

noble	not-affected
mantic	not-affected
lunar	not-affected
kinetic	not-affected
jammy	Fixed 12.22.9~dfsg-1ubuntu3.3 released
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

openssl

noble	Fixed 3.0.8-1ubuntu1 released
mantic	Fixed 3.0.8-1ubuntu1 released
lunar	Fixed 3.0.8-1ubuntu1 released
kinetic	Fixed 3.0.5-2ubuntu2.1 released
jammy	Fixed 3.0.2-0ubuntu1.8 released
focal	Fixed 1.1.1f-1ubuntu2.17 released
bionic	Fixed 1.1.1-1ubuntu2.1~18.04.21 released
xenial	ignored
trusty	ignored

openssl1.0

kinetic	dne
jammy	dne
focal	dne
bionic	ignored
xenial	dne
trusty	dne

Common Weakness Enumeration

CWE-203 - Observable Discrepancy
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

https://security.gentoo.org/glsa/202402-08

https://www.openssl.org/news/secadv/20230207.txt

https://security.gentoo.org/glsa/202402-08

https://www.openssl.org/news/secadv/20230207.txt