CVE-2022-42961
Vulnerability from cvelistv5
Published
2022-10-15 00:00
Modified
2024-08-03 13:19
Severity ?
EPSS score ?
Summary
An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC signatures. These signatures can be processed via an advanced technique for ECDSA key recovery. (In 5.5.0 and later, WOLFSSL_CHECK_SIG_FAULTS can be used to address the vulnerability.)
References
▼ | URL | Tags | |
---|---|---|---|
cve@mitre.org | https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable | Release Notes, Third Party Advisory | |
af854a3a-2127-422b-91ae-364da2661108 | https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable | Release Notes, Third Party Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T13:19:05.507Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC signatures. These signatures can be processed via an advanced technique for ECDSA key recovery. (In 5.5.0 and later, WOLFSSL_CHECK_SIG_FAULTS can be used to address the vulnerability.)" } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-10-15T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "url": "https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2022-42961", "datePublished": "2022-10-15T00:00:00", "dateReserved": "2022-10-15T00:00:00", "dateUpdated": "2024-08-03T13:19:05.507Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2022-42961\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2022-10-15T04:15:17.703\",\"lastModified\":\"2024-11-21T07:25:41.433\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC signatures. These signatures can be processed via an advanced technique for ECDSA key recovery. (In 5.5.0 and later, WOLFSSL_CHECK_SIG_FAULTS can be used to address the vulnerability.)\"},{\"lang\":\"es\",\"value\":\"Se ha detectado un problema en wolfSSL versiones anteriores a 5.5.0. Un ataque de inyecci\u00f3n de fallos en la RAM por medio de Rowhammer conlleva a una divulgaci\u00f3n de claves ECDSA. Los usuarios que llevan a cabo operaciones de firma con claves ECC privadas, como en las conexiones TLS del lado del servidor, podr\u00edan filtrar firmas ECC defectuosas. Estas firmas pueden ser procesadas por medio de una t\u00e9cnica avanzada de recuperaci\u00f3n de claves ECDSA. (En la versi\u00f3n 5.5.0 y posteriores, puede usarse WOLFSSL_CHECK_SIG_FAULTS para abordar la vulnerabilidad)\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wolfssl:wolfssl:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"5.5.0\",\"matchCriteriaId\":\"429B1D46-A7C6-4510-89E4-88222C933D0B\"}]}]}],\"references\":[{\"url\":\"https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable\",\"source\":\"cve@mitre.org\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.0-stable\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]}]}}" } }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.