CVE-2023-6935 — Observable Discrepancy in Wolfssl

CWE-203 — Observable Discrepancy5 documents5 sources

Severity

5.9MEDIUMNVD

EPSS

0.3%

top 45.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl Msrc Azl3 Mariadb 10.11.6-3 ON Azure Linux 3.0 +4 more

Timeline

PublishedFeb 9

Latest updateFeb 13

Description

wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSL_STATIC_RSA" The define “WOLFSSL_STATIC_RSA” enables static RSA cipher suites, which is not recommended, and has been disabled by default since wolfSSL 3.6.6. Therefore the default build since 3.6.6, even with "--enable-all", is not vulnerable to the Marvin Attack. The vulnerability is…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages8 packages

▶debiandebian/wolfssl< wolfssl 5.6.6-1.2 (forky)

▶Debianwolfssl/wolfssl< 5.6.6-1.2+1

▶NVDwolfssl/wolfssl3.12.2 — 5.6.4

▶msrcmsrc/azure_linux_3.0_arm

▶msrcmsrc/azure_linux_3.0_x64

🔴Vulnerability Details

GHSA

GHSA-r36f-f47x-637q: wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the↗2024-02-10

▶

OSV

CVE-2023-6935: wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the↗2024-02-09

▶

📋Vendor Advisories

Microsoft

Marvin Attack vulnerability in SP Math All RSA↗2024-02-13

▶

Debian

CVE-2023-6935: wolfssl - wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new v...↗2023

▶