Information exposure through timing discrepancy in RSA BSAFE Crypto-C Micro Edition and Micro Edition Suite
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-3732 |
| CWE-ID | CWE-208 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
RSA BSAFE Micro Edition Suite Client/Desktop applications / Other client software RSA BSAFE Crypto-C Server applications / Encryption software |
| Vendor | Dell |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Information Exposure Through Timing Discrepancy
EUVDB-ID: #VU21462
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-3732
CWE-ID:
CWE-208 - Information Exposure Through Timing Discrepancy
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product. A remote attacker can extract information leaving data at risk of exposure.This vulnerability affects the following versions:
- RSA BSAFE Crypto-C Micro Edition - versions prior to 4.0.5.3 (in 4.0.x) and prior to 4.1.3.3 (in 4.1.x)
- RSA BSAFE Micro Edition Suite - versions prior to 4.0.11 (in 4.0.x), prior to 4.1.6.1 (in 4.1.x) and versions prior to 4.3.3 (4.2.x and 4.3.x)
Install updates from vendor's website.
Vulnerable software versionsRSA BSAFE Micro Edition Suite: before 4.3.3
RSA BSAFE Crypto-C: before 4.1.3.3
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
