CVE-2024-34703

Botan Vulnerable to Denial of Service Due to Overly Large Elliptic Curve Parameters

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Botan is a C++ cryptography library. X.509 certificates can identify elliptic curves using either an object identifier or using explicit encoding of the parameters. Prior to versions 3.3.0 and 2.19.4, an attacker could present an ECDSA X.509 certificate using explicit encoding where the parameters are very large. The proof of concept used a 16Kbit prime for this purpose. When parsing, the parameter is checked to be prime, causing excessive computation. This was patched in 2.19.4 and 3.3.0 to allow the prime parameter of the elliptic curve to be at most 521 bits. No known workarounds are available. Note that support for explicit encoding of elliptic curve parameters is deprecated in Botan.

Botan es una librería de criptografía C++. Los certificados X.509 pueden identificar curvas elípticas utilizando un identificador de objeto o una codificación explícita de los parámetros. Antes de las versiones 3.3.0 y 2.19.4, un atacante podía presentar un certificado ECDSA X.509 usando codificación explícita donde los parámetros eran muy grandes. La prueba de concepto utilizó un prime de 16 Kbit para este propósito. Al analizar, se comprueba que el parámetro sea primo, lo que provoca un cálculo excesivo. Esto fue parcheado en 2.19.4 y 3.3.0 para permitir que el parámetro principal de la curva elíptica tenga como máximo 521 bits. No hay workarounds disponibles. Tenga en cuenta que la compatibilidad con la codificación explícita de parámetros de curvas elípticas está obsoleta en Botan.

*Credits: N/A

CVSS Scores

GitHubv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-07 CVE Reserved
2024-06-30 CVE Published
2024-07-01 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-405: Asymmetric Resource Consumption (Amplification)
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (3)

URL	Tag	Source
https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4	X_refsource_misc
https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a	X_refsource_misc
https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Randombit Search vendor "Randombit"		Botan Search vendor "Randombit" for product "Botan"				3.3.0 Search vendor "Randombit" for product "Botan" and version "3.3.0"		en		Affected
Randombit Search vendor "Randombit"		Botan Search vendor "Randombit" for product "Botan"				< 2.19.4 Search vendor "Randombit" for product "Botan" and version " < 2.19.4"		en		Affected