CVE-2024-1545 — Unchecked Return Value in Wolfssl

CWE-252 — Unchecked Return Value CWE-1256 — Improper Restriction of Software Interfaces to Hardware Features CWE-74 — Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 53.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl Wolfssl Wolfcrypt +4 more

Timeline

PublishedAug 29

Latest updateAug 30

Description

Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages8 packages

▶CVEListV5wolfssl/wolfcrypt5.6.6

▶debiandebian/wolfssl< wolfssl 5.7.0-0.3 (forky)

▶Debianwolfssl/wolfssl< 5.7.0-0.3+1

▶NVDwolfssl/wolfssl5.6.6

▶msrcmsrc/azure_linux_3.0_arm

🔴Vulnerability Details

GHSA

GHSA-9chr-m38j-w26g: Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa↗2024-08-30

▶

OSV

CVE-2024-1545: Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa↗2024-08-29

▶

📋Vendor Advisories

Microsoft

Fault Injection of RSA encryption in WolfCrypt↗2024-08-13

▶

Debian

CVE-2024-1545: wolfssl - Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcr...↗2024

▶