SB2024090464 - Fedora 40 update for wolfssl

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2024090464

SB2024090464 - Fedora 40 update for wolfssl

Published: September 4, 2024

Security Bulletin ID SB2024090464
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Cryptographic issues (CVE-ID: CVE-2024-1543)

CWE-ID: CWE-310 - Cryptographic Issues

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to gain access to sensitive information.

A side channel vulnerability with AES T-Tables is possible in a very controlled environment where precision sub-cache-line inspection can happen, such as inside an Intel SGX enclave. This can lead to recovery of the AES key. To prevent this type of attack, wolfSSL added an AES bitsliced implementation which can be enabled with the "--enable-aes-bitsliced" configure option.


2) Improper restriction of software interfaces to hardware features (CVE-ID: CVE-2024-1545)

CWE-ID: CWE-1256 - Improper restriction of software interfaces to hardware features

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to decrypt data.

The vulnerability exists due to a fault injection within the RsaPrivateDecryption() function in wolfssl/wolfcrypt/src/rsa.c. A local user can perform perform a Rowhammer fault injection and gain access to sensitive information.


Remediation

Install update from vendor's website.

References