CVE-2016-1494 — MEDIUM (5.3)

Q: What is CVE-2016-1494?

CVE-2016-1494 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.

Q: How severe is CVE-2016-1494?

CVE-2016-1494 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-1494?

Check the references section above for vendor advisories and patch information. Affected products include: Python Rsa, Fedoraproject Fedora, Opensuse Leap, Opensuse Opensuse.

Vulnerability Description

The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.

CVSS Score

5.3

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Python	Rsa	< 3.3
Fedoraproject	Fedora	22
Opensuse	Leap	42.1
Opensuse	Opensuse	13.1

Related Weaknesses (CWE)

CWE-20

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175897.htThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175942.htThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-01/msg00032.htmlMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/05/1Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/05/3Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/79829Third Party AdvisoryVDB Entry
https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attacPatchThird Party Advisory
https://blog.filippo.io/bleichenbacher-06-signature-forgery-in-python-rsa/ExploitThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175897.htThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2016-January/175942.htThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2016-01/msg00032.htmlMailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/05/1Mailing ListThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/01/05/3Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/79829Third Party AdvisoryVDB Entry
https://bitbucket.org/sybren/python-rsa/pull-requests/14/security-fix-bb06-attacPatchThird Party Advisory

FAQ

What is CVE-2016-1494?

CVE-2016-1494 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.

How severe is CVE-2016-1494?

CVE-2016-1494 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-1494?

Check the references section above for vendor advisories and patch information. Affected products include: Python Rsa, Fedoraproject Fedora, Opensuse Leap, Opensuse Opensuse.