#VU84653 Infinite loop in Crypto++ - CVE-2023-50981

Cybersecurity Help s.r.o.

Published: 2023-12-21

Vulnerability identifier: #VU84653

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-50981

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Crypto++
Universal components / Libraries / Libraries used by multiple products

Vendor: cryptopp.com

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in ModularSquareRoot. A remote attacker can consume all available system resources and cause denial of service conditions via crafted DER public-key data associated with squared odd numbers, such as the square of 268995137513890432434389773128616504853.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Crypto++: 5.0 - 8.9.0

External links
https://github.com/weidai11/cryptopp/issues/1249

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for libcryptopp

Denial of service in Crypto++