Vulnerability identifier: #VU45988

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-15309

CWE-ID: CWE-310

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
wolfSSL
Universal components / Libraries / Libraries used by multiple products

Vendor: wolfSSL

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists in wolfSSL when single precision is not employed. A local user can conduct a cache-timing attack against public key operations. These attackers may already have obtained sensitive information if the affected system has been used for private key operations (e.g., signing with a private key).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

wolfSSL: 4.0 - 4.4.0

---

CPE

• cpe:2.3:a:wolfssl:wolfssl:4.4.0:*:*:*:*:*:*:*

External links
http://github.com/wolfSSL/wolfssl/releases/tag/v4.5.0-stable

---

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?