OpenSSL Timing Attack Risks – SES 7.2

OpenSSL Timing Attack Risks – SES 7.2

Advisory ID	CVE Number	Date discovered	Severity	Advisory revision
STORM-2023-012	CVE-2022-4304	02/08/2023	medium	v1

Vulnerability details

A timing-based attack exists in the OpenSSL RSA decryption.

Impacted products

Products	Severity	Detail
Stormshield Endpoint Security	medium	SES 7.2 is impacted - SES EVO not impacted

Revisions

Version	Date	Description
v1	06/22/2023	Initial release

Stormshield Endpoint Security

CVSS v3.1 Overall Score: 5.2

Analysis	Impacted version
A timing-based attack may be possible under certain circumstance for an attacker to achieve a successful decryption.	SES 7.2.39 and earlier

Workaround solution	Solution
There is no workaround solution.	The 7.2.40 version fixes this vulnerability.

Attack Vector	Attack Complexity	Privileges Required	User Interaction	Scope	Confidentiality Impact	Integrity Impact	Availability impact
Adjacent Network	High	None	None	Unchanged	High	None	None

CVSS Base score: 5.3	CVSS Vector: (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Exploit Code Maturity	Remediation Level	Report Confidence
Unproven that exploit exists	Official fix	Confirmed

CVSS Temporal score: 4.6	CVSS Vector: (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Confidentiality Requirement (CR)	Integrity Requirement (IR)	Availability Requirement (AR)
Medium	Medium	Medium

CVSS Environmental score: 5.2	CVSS Vector: (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C/CR:M/IR:M/AR:M/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)

RSS Feed Contact Report a vulnerability Legal terms STORMSHIELD Corporate website Personal Data