CVE-2021-43398 - Vulnerability Details - OpenCVE

Description

Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks. NOTE: this report is disputed by the vendor and multiple third parties. The execution-time differences are intentional. A user may make a choice of a longer key as a tradeoff between strength and performance. In making this choice, the amount of information leaked to an adversary is of infinitesimal value

Published: 2021-11-04

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:cryptopp:crypto\+\+:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00423.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://cryptopp.com
https://github.com/weidai11/cryptopp/issues/1080
https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222

History

No history.

Subscriptions

Cryptopp Crypto\+\+

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2021-11-04T20:06:38.000Z

Updated: 2024-08-04T03:55:28.758Z

Reserved: 2021-11-04T00:00:00.000Z

Link: CVE-2021-43398

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-11-04T21:15:09.520

Modified: 2024-11-21T06:29:09.903

Link: CVE-2021-43398

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-203

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks. NOTE: this report is disputed by the vendor and multiple third parties. The execution-time differences are intentional. A user may make a choice of a longer key as a tradeoff between strength and performance. In making this choice, the amount of information leaked to an adversary is of infinitesimal value"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-12-17T15:31:24.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/weidai11/cryptopp/issues/1080"}, {"tags": ["x_refsource_MISC"], "url": "https://cryptopp.com"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-43398", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks. NOTE: this report is disputed by the vendor and multiple third parties. The execution-time differences are intentional. A user may make a choice of a longer key as a tradeoff between strength and performance. In making this choice, the amount of information leaked to an adversary is of infinitesimal value."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/weidai11/cryptopp/issues/1080", "refsource": "MISC", "url": "https://github.com/weidai11/cryptopp/issues/1080"}, {"name": "https://cryptopp.com", "refsource": "MISC", "url": "https://cryptopp.com"}, {"name": "https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222", "refsource": "MISC", "url": "https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:55:28.758Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/weidai11/cryptopp/issues/1080"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cryptopp.com"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-43398", "datePublished": "2021-11-04T20:06:38.000Z", "dateReserved": "2021-11-04T00:00:00.000Z", "dateUpdated": "2024-08-04T03:55:28.758Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cryptopp:crypto\\+\\+:*:*:*:*:*:*:*:*", "matchCriteriaId": "38083732-7F2F-45F1-B773-8BD7A039F08B", "versionEndIncluding": "8.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks. NOTE: this report is disputed by the vendor and multiple third parties. The execution-time differences are intentional. A user may make a choice of a longer key as a tradeoff between strength and performance. In making this choice, the amount of information leaked to an adversary is of infinitesimal value"}, {"lang": "es", "value": "** EN DISPUTA ** Crypto++ (tambi\u00e9n se conoce como Cryptopp) versiones 8.6.0 y anteriores, contienen un filtrado de tiempo en la funci\u00f3n MakePublicKey(). Se presenta una clara correlaci\u00f3n entre el tiempo de ejecuci\u00f3n y la longitud de la clave privada, que puede causar una divulgaci\u00f3n de la informaci\u00f3n de la longitud de la clave privada. Esto podr\u00eda permitir a atacantes conducir ataques de tiempo. NOTA: este informe es discutido por el vendedor y por m\u00faltiples terceros. Las diferencias de tiempo de ejecuci\u00f3n son intencionadas. Un usuario puede elegir una clave m\u00e1s larga como compensaci\u00f3n entre la fuerza y el rendimiento. Al hacer esta elecci\u00f3n, la cantidad de informaci\u00f3n filtrada a un adversario es de valor infinitesimal"}], "id": "CVE-2021-43398", "lastModified": "2024-11-21T06:29:09.903", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-04T21:15:09.520", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://cryptopp.com"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/weidai11/cryptopp/issues/1080"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://cryptopp.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/weidai11/cryptopp/issues/1080"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}