Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659

Root

Cause

The vulnerability is an incomplete fix for [CVE-2020-25659] in the python-cryptography package. The RSA PKCS#1 v1.5 decryption code did not fully eliminate timing side-channel differences, leaving a detectable oracle that distinguishes between valid and invalid padding [1][3]. This flaw is acknowledged in the upstream documentation as a known limitation [4].

Attack

Vector

An attacker on the network could capture TLS ciphertexts from sessions using RSA key exchange and then send crafted malformed ciphertexts to the server, measuring response times. The timing difference observed—approximately 400 nanoseconds—is sufficient for remote exploitation, as demonstrated with statistical analysis [4]. No authentication is required beyond the ability to initiate TLS connections.

Impact

Successful exploitation allows the attacker to decrypt the captured TLS messages, exposing any confidential data transported over the session (e.g., session keys, authentication tokens, or sensitive payloads) [2]. The vulnerability affects TLS servers that use RSA key agreement; servers using ephemeral Diffie-Hellman (DHE/ECDHE) are not exposed.

Mitigation

Red Hat has rated the severity as Medium. Patched versions of python-cryptography are available; users should upgrade to the latest release to eliminate the timing oracle [1][3]. Systems still using RSA key exchange in TLS should consider migrating to forward-secrecy ciphersuites as a general security best practice.