CVE-2021-24116 — Observable Discrepancy in Wolfssl

CWE-203 — Observable Discrepancy5 documents5 sources

Severity

4.9MEDIUMNVD

EPSS

0.3%

top 51.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl

Timeline

PublishedJul 14

Latest updateMay 24

Description

In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decoding allows system-level (administrator) attackers to obtain information about secret RSA keys via a controlled-channel and side-channel attack on software running in isolated environments that can be single stepped, especially Intel SGX.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/wolfssl< wolfssl 4.6.0-1 (bookworm)

▶NVDwolfssl/wolfssl< 4.6.0

▶Debianwolfssl/wolfssl< 4.6.0-1+3

🔴Vulnerability Details

GHSA

GHSA-jh62-5q2g-qjmx: In wolfSSL through 4↗2022-05-24

▶

OSV

CVE-2021-24116: In wolfSSL through 4↗2021-07-14

▶

📋Vendor Advisories

Debian

CVE-2021-24116: wolfssl - In wolfSSL through 4.6.0, a side-channel vulnerability in base64 PEM file decodi...↗2021

▶

📄Research Papers

arXiv

Util::Lookup: Exploiting key decoding in cryptographic libraries↗2021-08-10

▶