Products
wolfSSL
Source
facts@wolfssl.com
Tags
CVE-2024-1544 details
Last Modified : Aug. 27, 2024, 7:15 p.m.
Description
Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits.
CVSS Score
1 | 2 | 3 | 4.1 | 5 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-203 | Observable Discrepancy | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
CVSS Data
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
Base Score
4.1
Exploitability Score
0.5
Impact Score
3.6
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
References
URL | Source |
---|---|
https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable | facts@wolfssl.com |