#VU94671 Asymmetric Resource Consumption (Amplification) in Botan - CVE-2024-34702
Vulnerability identifier: #VU94671
Vulnerability risk: Medium
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID:
CWE-ID:
CWE-405
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Botan
Universal components / Libraries /
Libraries used by multiple products
Vendor: Randombit
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to excessive name constraints. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Botan: 2.19.0 - 2.19.4, 3.0.0, 3.1.0 - 3.1.1, 3.2.0, 3.3.0, 3.4.0
External links
https://github.com/randombit/botan/security/advisories/GHSA-5gg9-hqpr-r58j
https://github.com/randombit/botan/pull/4034
https://github.com/randombit/botan/pull/4045
https://github.com/randombit/botan/pull/4047
https://github.com/randombit/botan/pull/4052
https://github.com/randombit/botan/pull/4186
https://github.com/randombit/botan/pull/4187
https://github.com/randombit/botan/commit/21dccc8fef18c165ba3301d850ac61521f85637e
https://github.com/randombit/botan/commit/39535f13c322f56aa3da2f44b2b6abb8619a82ac
https://github.com/randombit/botan/commit/477822a2d10f02d8ba46c9d8a5132f25843f5cc1
https://github.com/randombit/botan/commit/7606d70d3a2ac7114476ec2651ca0243c4536fdf
https://github.com/randombit/botan/commit/c3264821b9f6286ee4e6e3e06826f6b7177e6d41
https://github.com/randombit/botan/commit/ff704b12e6fa351aaedd07bffdc91722e84586b8
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
