CVE-2022-30629

Session tickets lack random ticket_age_add in crypto/tls

Severity Score

3.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Non-random values for ticket_age_add in session tickets in crypto/tls before Go 1.17.11 and Go 1.18.3 allow an attacker that can observe TLS handshakes to correlate successive connections by comparing ticket ages during session resumption.

Valores no aleatorios para la función ticket_age_add en los tickets de sesión en crypto/tls versiones anteriores a Go 1.17.11 y Go 1.18.3, permiten a un atacante que pueda observar los handshakes TLS correlacionar conexiones sucesivas comparando las edades de los tickets durante la reanudación de la sesión

A flaw was found in the crypto/tls golang package. When session tickets are generated by crypto/tls, it is missing the ticket expiration. This issue may allow an attacker to observe the TLS handshakes to correlate successive connections during session resumption.

*Credits: Github user @nervuri

CVSS Scores

NISTv3.1 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-12 CVE Reserved
2022-08-09 CVE Published
2024-03-01 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-330: Use of Insufficiently Random Values
CWE-331: Insufficient Entropy

CAPEC

References (7)

URL	Tag	Source

URL	Date	SRC
https://go.dev/issue/52814	2024-08-03

URL	Date	SRC
https://go.dev/cl/405994	2023-11-07
https://go.googlesource.com/go/+/fe4de36198794c447fbd9d7cc2d7199a506c76a5	2023-11-07

URL	Date	SRC
https://groups.google.com/g/golang-announce/c/TzIC9-t8Ytg/m/IWz5T6x7AAAJ	2023-11-07
https://pkg.go.dev/vuln/GO-2022-0531	2023-11-07
https://access.redhat.com/security/cve/CVE-2022-30629	2023-08-07
https://bugzilla.redhat.com/show_bug.cgi?id=2092793	2023-08-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				< 1.17.11 Search vendor "Golang" for product "Go" and version " < 1.17.11"		-		Affected
Golang Search vendor "Golang"		Go Search vendor "Golang" for product "Go"				>= 1.18.0 < 1.18.3 Search vendor "Golang" for product "Go" and version " >= 1.18.0 < 1.18.3"		-		Affected