CVE-2024-2881

Sept. 4, 2024, 2:27 p.m.

CVSS Score

8.8 / 10

Products Impacted

Vendor Product Versions
wolfssl
  • wolfssl
  • 5.6.6
linux
  • linux_kernel
  • -
microsoft
  • windows
  • -

Description

Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure.

Weaknesses

CWE-1256
Improper Restriction of Software Interfaces to Hardware Features

The product provides software-controllable device functionality for capabilities such as power and clock management, but it does not properly limit functionality that can lead to modification of hardware memory or register bits, or the ability to observe physical side channels.

CWE ID: 1256
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

CWE ID: 74

Date

Published: Aug. 30, 2024, 12:15 a.m.

Last Modified: Sept. 4, 2024, 2:27 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

facts@wolfssl.com

CPEs

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a wolfssl wolfssl 5.6.6 / / / / / / /
o linux linux_kernel - / / / / / / /
o microsoft windows - / / / / / / /

CVSS Data

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score
8.8
Exploitability Score
2.8
Impact Score
5.9
Base Severity
HIGH
CVSS Vector String

The CVSS vector string provides an in-depth view of the vulnerability metrics.

View Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References