CVE-2024-2881 – Fault Injection of EdDSA signature in WolfCrypt
https://notcve.org/view.php?id=CVE-2024-2881
Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure. • https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable • CWE-252: Unchecked Return Value CWE-1256: Improper Restriction of Software Interfaces to Hardware Features •
CVE-2024-1545 – Fault Injection of RSA encryption in WolfCrypt
https://notcve.org/view.php?id=CVE-2024-1545
Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure. • https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.0-stable • CWE-252: Unchecked Return Value CWE-1256: Improper Restriction of Software Interfaces to Hardware Features •
CVE-2024-1543 – AES T-Table sub-cache-line leakage
https://notcve.org/view.php?id=CVE-2024-1543
The side-channel protected T-Table implementation in wolfSSL up to version 5.6.5 protects against a side-channel attacker with cache-line resolution. In a controlled environment such as Intel SGX, an attacker can gain a per instruction sub-cache-line resolution allowing them to break the cache-line-level protection. For details on the attack refer to: https://doi.org/10.46586/tches.v2024.i1.457-500 • https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-566-dec-19-2023 • CWE-208: Observable Timing Discrepancy •
CVE-2024-1544 – ECDSA nonce bias caused by truncation
https://notcve.org/view.php?id=CVE-2024-1544
Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits. • https://github.com/wolfSSL/wolfssl/releases/tag/v5.7.2-stable • CWE-203: Observable Discrepancy •
CVE-2024-5814 – Unverifed Ciphersuite used on a client-side TLS1.3 Downgrade
https://notcve.org/view.php?id=CVE-2024-5814
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500 • https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#add_later • CWE-284: Improper Access Control •