SUSE releases a critical security update for perl-Crypt-OpenSSL-RSA addressing CVE-2024-2467, a side-channel vulnerability in PKCS#1 v1.5 padding. Learn how to patch affected systems (openSUSE Leap 15.6, SUSE Linux Enterprise 15 SP6/SP7) and mitigate risks.
Vulnerability Overview
A moderate-risk security flaw (CVE-2024-2467) has been identified in perl-Crypt-OpenSSL-RSA, exposing systems to side-channel attacks (Marvin Attack) via PKCS#1 v1.5 padding mode. This vulnerability (CVSS:3.1 score 5.9) allows remote attackers to extract sensitive data through cryptographic timing leaks.
Affected Products:
SUSE Linux Enterprise Server/Desktop 15 SP6/SP7
openSUSE Leap 15.6
Basesystem Module 15-SP6/SP7
SUSE Real Time & SAP Applications
Patch Instructions & Mitigation
How to Apply the Update
Install the fix using these SUSE-recommended methods:
YaST Online Update (GUI)
Command Line (zypper):
# openSUSE Leap 15.6 zypper in -t patch SUSE-2025-1884=1 openSUSE-SLE-15.6-2025-1884=1 # Basesystem Module 15-SP6/SP7 zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP6-2025-1884=1
Why This Update Matters
Mitigates Marvin Attack: Prevents exploitation of PKCS#1 v1.5 padding weaknesses.
Enterprise Security: Critical for SAP, Real-Time, and Server environments handling sensitive data.
Compliance: Aligns with CVE, CVSS, and NIST guidelines for cryptographic security.
Technical Details & References
Package List (Updated Versions)
| Product | Packages |
|---|---|
| openSUSE Leap 15.6 | perl-Crypt-OpenSSL-RSA-0.28-150600.19.3.1 |
| Basesystem 15-SP6/SP7 | Debug & runtime packages included |
Official References:
FAQs: perl-Crypt-OpenSSL-RSA Vulnerability
Q: Is this vulnerability exploitable remotely?
A: Yes, via network-based side-channel attacks (AV:N).
Q: What’s the business impact?
A: Data confidentiality breaches in finance, healthcare, or SAP systems using RSA encryption.
Q: Are containers/cloud deployments affected?
A: Yes, if running unpatched SUSE images.
Nenhum comentário:
Postar um comentário