7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26263

GHSA ID

GHSA-wvcv-832q-fjg7

EPSS Score

0.47711%

CWE

CWE-326

Published

12/21/2020

Updated

11/13/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26263

CVE-2020-26263:
RSA weakness in tslite-ng

Impact

The code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, code in current (as of 0.8.0-alpha38) master https://github.com/tlsfuzzer/tlslite-ng/blob/0812ed60860fa61a6573b2c0e18771414958f46d/tlslite/utils/rsakey.py#L407-L441 and code in 0.7.5 branch https://github.com/tlsfuzzer/tlslite-ng/blob/acdde3161124d6ae37c506b3476aea9996d12e97/tlslite/utils/rsakey.py#L394-L425 has multiple ways in which it leaks information (for one, it aborts as soon as the plaintext doesn't start with 0x00, 0x02) about the decrypted ciphertext (both the bit length of the decrypted message as well as where the first unexpected byte lays).

All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable.

All previous versions of tlslite-ng are vulnerable.

Patches

The patches to fix it are proposed in https://github.com/tlsfuzzer/tlslite-ng/pull/438 https://github.com/tlsfuzzer/tlslite-ng/pull/439

Note: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not be the case: https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ As such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the security policy of tlslite-ng.

Workarounds

There is no way to workaround this issue.

References

https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/

For more information

If you have any questions or comments about this advisory please open an issue in tlslite-ng.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26263

GHSA ID

GHSA-wvcv-832q-fjg7

EPSS Score

0.47711%

CWE

CWE-326

Published

12/21/2020

Updated

11/13/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tlslite-ng	pip	< 0.7.6	0.7.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly references the decrypt method in rsakey.py as the source of data-dependent timing leaks. The original implementation performed: 1) early return on length mismatch, 2) byte-by-byte scanning for padding validation, and 3) immediate abort on invalid header bytes. The commit diff shows these sections were replaced with constant-time operations (ct_lsb_prop_u8, ct_neq_u32) and synthetic message generation to eliminate timing dependencies. The CWE-326 mapping confirms this relates to cryptographic timing weaknesses.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** *o** t**t p*r*orms ***ryption *n* p***in* ****k in RS* PK*S#* v*.* ***ryption is **t* **p*n**nt. In p*rti*ul*r, *o** in *urr*nt (*s o* *.*.*-*lp****) m*st*r *ttps://*it*u*.*om/tls*uzz*r/tlslit*-n*/*lo*/*********************************

Reasoning

T** vuln*r**ility **s*ription *xpli*itly r***r*n**s t** ***rypt m*t*o* in rs*k*y.py *s t** sour** o* **t*-**p*n**nt timin* l**ks. T** ori*in*l impl*m*nt*tion p*r*orm**: *) **rly r*turn on l*n*t* mism*t**, *) *yt*-*y-*yt* s**nnin* *or p***in* v*li**ti

7.5

Basic Information

Concerned about an active attack path?

CVE-2020-26263: RSA weakness in tslite-ng

Impact

Patches

Workarounds

References

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-26263:
RSA weakness in tslite-ng

Vulnerability Intelligence
Miggo AI