#VU99563 Improper verification of cryptographic signature in elliptic - CVE-2024-48948


Vulnerability identifier: #VU99563

Vulnerability risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-48948

CWE-ID: CWE-347

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
elliptic
Web applications / JS libraries

Vendor: indutny

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect validation of valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. Such behavior leads to valid signatures being rejected.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

elliptic: 6.0.0 - 6.5.7

External links
http://github.com/indutny/elliptic/pull/322
http://github.com/indutny/elliptic/issues/321
http://github.com/advisories/GHSA-fc9h-whq2-v747

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Cognos Analytics Mobile (Android)
Multiple vulnerabilities in IBM Cognos Analytics Mobile (iOS)
Multiple vulnerabilities in IBM Cognos Dashboards on Cloud Pak for Data
Multiple vulnerabilities in IBM QRadar Deployment Intelligence App
Multiple vulnerabilities in IBM QRadar Log Source Management App
Multiple vulnerabilities in IBM Decision Optimization for Cloud Pak for Data
Multiple vulnerabilities in IBM Data Product Hub
Multiple vulnerabilities in IBM App Connect Enterprise Certified Container
SUSE update for pgadmin4
Improper verification of cryptographic signature in Elliptic