#VU89836 Information Exposure Through Timing Discrepancy in iperf - CVE-2024-26306

Cybersecurity Help s.r.o.

Published: 2024-05-27

Vulnerability identifier: #VU89836

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-26306

CWE-ID: CWE-208

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
iperf
Other software / Other software solutions

Vendor: ESnet

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a timing side channel in RSA decryption operations. A remote attacker can send a large number of messages for decryption and recover credentials.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

iperf: 3.0.1 - 3.16

External links
https://github.com/esnet/iperf/releases/tag/3.17
https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for iperf3

Red Hat Enterprise Linux 9 update for iperf3

Multiple vulnerabilities in Oracle Linux

Oracle Solaris update for thrid-party components

openEuler 24.03 LTS update for iperf3

SUSE update for iperf

openEuler 20.03 LTS SP4 update for iperf3

openEuler 22.03 LTS SP2 update for iperf3

openEuler update for iperf3

Marvin attack in iPerf