CVE-2024-9355

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.5

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:10133
https://access.redhat.com/errata/RHSA-2024:7502
https://access.redhat.com/errata/RHSA-2024:7550
https://access.redhat.com/errata/RHSA-2024:8327
https://access.redhat.com/errata/RHSA-2024:8678
https://access.redhat.com/errata/RHSA-2024:8847
https://access.redhat.com/errata/RHSA-2024:9551
https://access.redhat.com/security/cve/CVE-2024-9355
https://bugzilla.redhat.com/show_bug.cgi?id=2315719

Configurations

No configuration.

History

21 Nov 2024, 20:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:10133 -

15 Nov 2024, 20:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:9551 -

05 Nov 2024, 08:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:8847 -

30 Oct 2024, 23:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:8678 -

22 Oct 2024, 17:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:8327 -

03 Oct 2024, 01:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2024:7550 -

02 Oct 2024, 18:15

Type	Values Removed	Values Added
Summary		(es) Se encontró una vulnerabilidad en Golang FIPS OpenSSL. Esta falla permite que un usuario malintencionado haga que se devuelva aleatoriamente una variable de longitud de búfer no inicializada con un búfer puesto a cero en modo FIPS. También es posible forzar una coincidencia de falso positivo entre hashes no iguales al comparar una suma hmac calculada confiable con una suma de entrada no confiable si un atacante puede enviar un búfer puesto a cero en lugar de una suma calculada previamente. También es posible forzar que una clave derivada sea todo ceros en lugar de un valor impredecible. Esto puede tener implicaciones posteriores para la pila TLS de Go.
References		() https://access.redhat.com/errata/RHSA-2024:7502 -

01 Oct 2024, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-01 19:15

Updated : 2024-11-21 20:15

NVD link : CVE-2024-9355

Mitre link : CVE-2024-9355

CVE.ORG link : CVE-2024-9355

JSON object : View

Products Affected

No product.

CWE

CWE-457

Use of Uninitialized Variable

6.5 /10