CVE-2024-26306: 
Rocky Linux vulnerability analysis and mitigation

CVE-2024-26306 affects iPerf3 versions before 3.17 when used with OpenSSL before 3.2.0 as a server with RSA authentication. The vulnerability was discovered and reported by Hubert Kario from RedHat, and was disclosed on May 10, 2024. The vulnerability affects the authentication scheme in iPerf3, a network performance testing tool (ESnet Advisory).

The vulnerability is a timing side-channel attack in RSA decryption operations when using EVPPKEYdecrypt() or RSAprivatedecrypt() methods in a non-constant time fashion. This vulnerability is specifically related to the padding applied to encrypted strings and is described in 'Everlasting ROBOT: the Marvin Attack' by Hubert Kario. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with attack vector: Network, attack complexity: High, and no privileges or user interaction required (CISA ADP).

An attacker who can send a sufficiently large number of messages for decryption to a listening iPerf3 server could potentially recover the plaintext credential used for authorization. This would allow unauthorized users to perform network performance tests without proper authentication (ESnet Advisory).

The vulnerability has been fixed in iPerf3 version 3.17 by implementing OAEP padding. For backwards compatibility, a new option '--use-pkcs1-padding' has been added, though using this option will re-enable the vulnerable code. There are no workarounds for this issue other than upgrading to version 3.17 or later (GitHub Release).