CVE-2024-26306

MEDIUM EPSS 61.7%
Published May 14, 20242y ago · Modified Jun 17, 20261w ago
5.9 CVSS 3.1
Medium
Find Similar
Published May 14, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

CVSS Details

Base Score
5.9
Exploitability
2.2
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
61.7% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-385

Affected Products 3

VendorProductVersionRange
esiperf3* <3.17
netappbootstrap_os*any
netapphci_compute_node*any

References 5

  • downloads.es.net https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc
    Third Party Advisory
  • github.com https://github.com/esnet/iperf/releases/tag/3.17
    Release Notes
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00027.html
  • security.netapp.com https://security.netapp.com/advisory/ntap-20250228-0007/
    Third Party Advisory
  • insyde.com https://www.insyde.com/security-pledge/SA-2024005
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.