ATRODO (Jon Gentle)のNet::Dropbearにおける不特定の脆弱性
| Title |
ATRODO (Jon Gentle)のNet::Dropbearにおける不特定の脆弱性
|
| Summary |
Perl向けのNet::Dropbearバージョン0.14未満には、脆弱なlibtomcryptが含まれており、この問題によりセキュリティリスクが発生します。
|
| Possible impacts |
当該ソフトウェアが扱う全ての情報が外部に漏れる可能性があります。 また、当該ソフトウェアが扱う全ての情報が書き換えられる可能性があります。 さらに、当該ソフトウェアが完全に停止する可能性があります。 そして、この脆弱性を悪用した攻撃により、他のソフトウェアにも影響が及ぶ可能性があります。 |
| Solution |
正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。 |
| Publication Date |
April 21, 2026, midnight |
| Registration Date |
April 24, 2026, 11:35 a.m. |
| Last Update |
April 24, 2026, 11:35 a.m. |
|
CVSS3.0 : 緊急
|
| Score |
10
|
| Vector |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
Affected System
| ATRODO (Jon Gentle) |
|
Net::Dropbear 0.14 未満
|
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
その他
Change Log
| No |
Changed Details |
Date of change |
| 1 |
[2026年04月24日]
掲載 |
April 24, 2026, 11:35 a.m. |
NVD Vulnerability Information
CVE-2016-6129
| Summary |
The rsa_verify_hash_ex function in rsa_verify_hash.c in LibTomCrypt, as used in OP-TEE before 2.2.0, does not validate that the message length is equal to the ASN.1 encoded data length, which makes it easier for remote attackers to forge RSA signatures or public certificates by leveraging a Bleichenbacher signature forgery attack.
|
| Publication Date |
Feb. 14, 2017, 3:59 a.m. |
| Registration Date |
Jan. 26, 2021, 2:14 p.m. |
| Last Update |
Nov. 21, 2024, 11:55 a.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:op-tee:op-tee_os:*:*:*:*:*:*:*:* |
|
2.1.0 |
|
|
| Configuration2 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:libtom:libtomcrypt:*:*:*:*:*:*:*:* |
|
1.17 |
|
|
Related information, measures and tools
Common Vulnerabilities List
CVE-2018-12437
| Summary |
LibTomCrypt through 1.18.1 allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
|
| Publication Date |
June 15, 2018, 11:29 a.m. |
| Registration Date |
March 1, 2021, 6:49 p.m. |
| Last Update |
Nov. 21, 2024, 12:45 p.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:libtom:libtomcrypt:*:*:*:*:*:*:*:* |
|
1.18.1 |
|
|
| Configuration2 |
or higher |
or less |
more than |
less than |
| cpe:2.3:o:linaro:op-tee:*:*:*:*:*:*:*:* |
|
3.5.0 |
|
|
Related information, measures and tools
Common Vulnerabilities List
CVE-2025-15638
| Summary |
Net::Dropbear versions before 0.14 for Perl contains a vulnerable version of libtomcrypt.
Net::Dropbear versions before 0.14 includes versions of Dropbear 2019.78 or earlier. These include versions of libtomcrypt v1.18.1 or earlier, which is affected by CVE-2016-6129 and CVE-2018-12437.
|
| Publication Date |
April 22, 2026, 1:16 a.m. |
| Registration Date |
April 25, 2026, 4:03 a.m. |
| Last Update |
April 23, 2026, 2:35 a.m. |
Affected software configurations
| Configuration1 |
or higher |
or less |
more than |
less than |
| cpe:2.3:a:atrodo:net\:\:dropbear:*:*:*:*:*:perl:*:* |
|
|
|
0.14 |
Related information, measures and tools
Common Vulnerabilities List