CVE-2024-26306 Information

Description

iPerf3 before 3.17 when used with OpenSSL before 3.2.0 as a server with RSA authentication allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption as described in \Everlasting ROBOT: the Marvin Attack\ by Hubert Kario.

Reference

https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc https://github.com/esnet/iperf/releases/tag/3.17