CVE-2024-2881 — Unchecked Return Value in Wolfssl

CWE-252 — Unchecked Return Value CWE-1256 — Improper Restriction of Software Interfaces to Hardware Features CWE-74 — Injection5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.4%

top 38.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wolfssl Debian Wolfssl Wolfssl Wolfcrypt +4 more

Timeline

PublishedAug 30

Latest updateDec 10

Description

Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the ed25519_key structure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages8 packages

▶CVEListV5wolfssl/wolfcrypt5.6.6

▶debiandebian/wolfssl< wolfssl 5.7.0-0.3 (forky)

▶Debianwolfssl/wolfssl< 5.7.0-0.3+1

▶NVDwolfssl/wolfssl5.6.6

▶msrcmsrc/azure_linux_3.0_arm

🔴Vulnerability Details

OSV

CVE-2024-2881: Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519↗2024-08-30

▶

GHSA

GHSA-p7fr-35j6-p64g: Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcrypt/src/ed25519↗2024-08-30

▶

📋Vendor Advisories

Microsoft

CVE-2024-2881: NIST NVD Details: https://nvd↗2024-12-10

▶

Debian

CVE-2024-2881: wolfssl - Fault Injection vulnerability in wc_ed25519_sign_msg function in wolfssl/wolfcry...↗2024

▶