CVE-2022-24884Improper Verification of Cryptographic Signature in Ecdsautils

CWE-347Improper Verification of Cryptographic Signature4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 68.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
Freifunk-gluon EcdsautilsEcdsautils Project EcdsautilsDebian Ecdsautils+2 more
Timeline
PublishedMay 6
Latest updateJul 20

Description

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI co

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/ecdsautils< ecdsautils 0.4.1-1 (bookworm)
CVEListV5freifunk-gluon/ecdsautils< 0.4.1
Debianecdsautils_project/ecdsautils< 0.3.2+git20151018-2+deb11u1+3

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 34, 35, 36

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

1
OSV
CVE-2022-24884: ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify)2022-05-06

📋Vendor Advisories

2
Ubuntu
ECDSA Util vulnerability2023-07-20
Debian
CVE-2022-24884: ecdsautils - ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify...2022
CVE-2022-24884 — Ecdsautils vulnerability | cvebase