CVE-2024-1544

{"id": "CVE-2024-1544", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "facts@wolfssl.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.5}]}, "published": "2024-08-27T19:15:16.547", "references": [{"url": "https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable", "source": "facts@wolfssl.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "facts@wolfssl.com", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "Generating the ECDSA nonce k samples a random number r and then \ntruncates this randomness with a modular reduction mod n where n is the \norder of the elliptic curve. Meaning k = r mod n. The division used \nduring the reduction estimates a factor q_e by dividing the upper two \ndigits (a digit having e.g. a size of 8 byte) of r by the upper digit of \nn and then decrements q_e in a loop until it has the correct size. \nObserving the number of times q_e is decremented through a control-flow \nrevealing side-channel reveals a bias in the most significant bits of \nk. Depending on the curve this is either a negligible bias or a \nsignificant bias large enough to reconstruct k with lattice reduction \nmethods. For SECP160R1, e.g., we find a bias of 15 bits."}, {"lang": "es", "value": "Generar el nonce k ECDSA muestra un n\u00famero aleatorio r y luego trunca esta aleatoriedad con una reducci\u00f3n modular mod n donde n es el orden de la curva el\u00edptica. Significado k = r mod n. La divisi\u00f3n utilizada durante la reducci\u00f3n estima un factor q_e dividiendo los dos d\u00edgitos superiores (un d\u00edgito que tiene, por ejemplo, un tama\u00f1o de 8 bytes) de r por el d\u00edgito superior de n y luego disminuye q_e en un bucle hasta que tenga el tama\u00f1o correcto. Observar el n\u00famero de veces que q_e disminuye a trav\u00e9s de un canal lateral revelador de flujo de control revela un sesgo en los bits m\u00e1s significativos de k. Dependiendo de la curva, esto es un sesgo insignificante o un sesgo significativo lo suficientemente grande como para reconstruir k con m\u00e9todos de reducci\u00f3n de celos\u00eda. Para SECP160R1, por ejemplo, encontramos un sesgo de 15 bits."}], "lastModified": "2024-08-28T12:57:39.090", "sourceIdentifier": "facts@wolfssl.com"}