Main Vulnerability Database Vulnerabilities #VU66876

Improper restriction of software interfaces to hardware features in wolfSSL - CVE-2022-42961

Published: August 31, 2022 / Updated: January 20, 2023

Vulnerability identifier: #VU66876

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-42961

CWE-ID: CWE-1256

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: wolfSSL

Affected software:
wolfSSL

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the way wolfSSL handles operations with private ECC keys such as server side TLS connections and creation of ECC signatures. A malicious server can perform fault injection attack on RAM (e.g. using Rowhammer attack) and obtain the ECDSA key.

How to mitigate CVE-2022-42961

Install updates from vendor's website.

Sources

https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable

Improper restriction of software interfaces to hardware features in wolfSSL - CVE-2022-42961

Detailed vulnerability description

How to mitigate CVE-2022-42961

Sources

Please verify you're human