Covert Timing Channel in OpenSSL - CVE-2024-13176
Published: February 4, 2025 / Updated: May 21, 2025
Vulnerability identifier: #VU103600
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-13176
CWE-ID: CWE-385
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenSSL Software Foundation
Affected software:
OpenSSL
OpenSSL
Detailed vulnerability description
The vulnerability allows a remote attacker to recover a private key.
The vulnerability exists due to a timing side-channel in ECDSA signature computations. A remote attacker can recover the private key and decrypt data.
Successful exploitation of the vulnerability requires that the attacker's process must either be located in the same physical computer or must have a very fast network connection with low latency.
How to mitigate CVE-2024-13176
Install update from vendor's website.
Sources
- http://www.openwall.com/lists/oss-security/2025/01/20/2
- https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844
- https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467
- https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902
- https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65
- https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f
- https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded
- https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86
- https://openssl-library.org/news/secadv/20250120.txt
- https://security.netapp.com/advisory/ntap-20250124-0005/