CVE-2024-26306

low-risk

Published 2024-05-14

iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

Do I need to act?

0.63% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (2)

Iperf3

Bootstrap Os

Affected Vendors

Netapp Es

References (7)

Third Party Advisory https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc

Release Notes https://github.com/esnet/iperf/releases/tag/3.17

Third Party Advisory https://www.insyde.com/security-pledge/SA-2024005

Third Party Advisory https://downloads.es.net/pub/iperf/esnet-secadv-2024-0001.txt.asc

Release Notes https://github.com/esnet/iperf/releases/tag/3.17

https://lists.debian.org/debian-lts-announce/2025/01/msg00027.html

Third Party Advisory https://security.netapp.com/advisory/ntap-20250228-0007/

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 7/34 · Low