CVE-2022-23004 – Algorithm incorrectly returning error and Invalid unreduced value written to output buffer
https://notcve.org/view.php?id=CVE-2022-23004
When computing a shared secret or point multiplication on the NIST P-256 curve using a public key with an X coordinate of zero, an error is returned from the library, and an invalid unreduced value is written to the output buffer. This may be leveraged by an attacker to cause an error scenario, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components. Cuando es calculado un secreto compartido o una multiplicación de puntos en la curva P-256 de NIST usando una clave pública con una coordenada X de cero, la biblioteca devuelve un error y es escrito en el búfer de salida un valor inválido no reducido. Esto puede ser aprovechado por un atacante para causar un escenario de error, resultando en una denegación de servicio limitada para un usuario individual. • https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities • CWE-682: Incorrect Calculation CWE-703: Improper Check or Handling of Exceptional Conditions CWE-707: Improper Neutralization •
CVE-2022-23003 – Shared secret or Point multiplication of NIST P-256 points with X coordinate of zero
https://notcve.org/view.php?id=CVE-2022-23003
When computing a shared secret or point multiplication on the NIST P-256 curve that results in an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output may cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario or incorrect choice of session key in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components. Cuando es computado un secreto compartido o una multiplicación de puntos en la curva P-256 del NIST que resulta en una coordenada X de cero, el resultado no es reducido apropiadamente modulo el primo del campo P-256 y es inválido. • https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities • CWE-682: Incorrect Calculation CWE-703: Improper Check or Handling of Exceptional Conditions •
CVE-2022-23002 – Point Compression/Decompression of NIST P-256 points with X coordinate of zero
https://notcve.org/view.php?id=CVE-2022-23002
When compressing or decompressing a point on the NIST P-256 elliptic curve with an X coordinate of zero, the resulting output is not properly reduced modulo the P-256 field prime and is invalid. The resulting output will cause an error when used in other operations. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components. Cuando es comprimido o descomprimido un punto en la curva elíptica P-256 de NIST con una coordenada X de cero, la salida resultando no es reducida apropiadamente modulo el primo del campo P-256 y es inválida. • https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities • CWE-703: Improper Check or Handling of Exceptional Conditions •
CVE-2022-23001 – Sweet-B Library: Point compress/decompress using the wrong bit for sign
https://notcve.org/view.php?id=CVE-2022-23001
When compressing or decompressing elliptic curve points using the Sweet B library, an incorrect choice of sign bit is used. An attacker with user level privileges and no other user's assistance can exploit this vulnerability with only knowledge of the public key and the library. The resulting output may cause an error when used in other operations; for instance, verification of a valid signature under a decompressed public key may fail. This may be leveraged by an attacker to cause an error scenario in applications which use the library, resulting in a limited denial of service for an individual user. The scope of impact cannot extend to other components. • https://www.westerndigital.com/support/product-security/wdc-22013-sweet-b-incorrect-output-vulnerabilities • CWE-682: Incorrect Calculation •