#VU40301 Information disclosure in Debian products - CVE-2015-7827

Cybersecurity Help s.r.o.

Published: 2016-05-13 | Updated: 2020-08-09

Vulnerability identifier: #VU40301

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2015-7827

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Fedora
Operating systems & Components / Operating system
Debian Linux
Operating systems & Components / Operating system
Botan
Universal components / Libraries / Libraries used by multiple products

Vendor: Fedoraproject
Randombit
Debian

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Botan before 1.10.13 and 1.11.x before 1.11.22 make it easier for remote attackers to conduct million-message attacks by measuring time differences, related to decoding of PKCS#1 padding.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Fedora: 24

Botan: 1.11.0 - 1.11.21, 24

Debian Linux: 1.11.0 - 24

External links
https://botan.randombit.net/security.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-May/183669.html
https://marc.info/?l=botan-devel&m=146185420505943&w=2
https://www.debian.org/security/2016/dsa-3565

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Fedoraproject Fedora