CVE-2024-26306
MEDIUMiperf3 < 3.17 - Timing Side Channel in RSA Decryption
Title source: llmDescription
iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.
References (5)
Core 5
Core References
Third Party Advisory
https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc
Release Notes
https://github.com/esnet/iperf/releases/tag/3.17
Third Party Advisory
https://www.insyde.com/security-pledge/SA-2024005
Third Party Advisory
https://security.netapp.com/advisory/ntap-20250228-0007/
Scores
CVSS v3
5.9
EPSS
0.0063
EPSS Percentile
70.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-385
Status
published
Products (2)
es/iperf3
< 3.17
netapp/bootstrap_os
Published
May 14, 2024
Tracked Since
Feb 18, 2026