CVE-2024-22473
Uninitialized TRNG used for ECDSA after EM2/EM3 sleep for VSE devices
Severity Score
6.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. This defect may allow Signature Spoofing by Key Recreation.This issue affects Gecko SDK through v4.4.0.
TRNG se utiliza antes de la inicialización mediante el controlador de firma ECDSA al salir de EM2/EM3 en dispositivos Virtual Secure Vault (VSE). Este defecto puede permitir la suplantación de firmas mediante recreación clave. Este problema afecta a Gecko SDK hasta la versión 4.4.0.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-01-10 CVE Reserved
- 2024-02-21 CVE Published
- 2024-02-22 EPSS Updated
- 2024-09-27 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-330: Use of Insufficiently Random Values
- CWE-331: Insufficient Entropy
- CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
- CWE-908: Use of Uninitialized Resource
- CWE-1279: Cryptographic Operations are run Before Supporting Units are Ready
CAPEC
- CAPEC-474: Signature Spoofing by Key Theft
- CAPEC-485: Signature Spoofing by Key Recreation
References (1)
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Silabs.com Search vendor "Silabs.com" | GSDK Search vendor "Silabs.com" for product "GSDK" | <= 4.4.0 Search vendor "Silabs.com" for product "GSDK" and version " <= 4.4.0" | en |
Affected
| ||||||