CVE-2024-1545 Fault Injection of RSA encryption in WolfCrypt

2024-08-2923:02:48

CWE-1256

CWE-252

wolfSSL

www.cve.org

cve-2024-1545

fault injection

wolfcrypt

rsa encryption

linux/windows

rowhammer

information disclosure

privilege escalation

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

EPSS

0.001

Percentile

20.0%

JSON

Fault Injection vulnerability in RsaPrivateDecryption function in wolfssl/wolfcrypt/src/rsa.c in WolfSSL wolfssl5.6.6 on Linux/Windows allows remote attacker co-resides in the same system with a victim process to disclose information and escalate privileges via Rowhammer fault injection to the RsaKey structure.

CNA Affected

[
  {
    "collectionURL": "https://github.com/wolfSSL/wolfssl",
    "defaultStatus": "affected",
    "modules": [
      "RSA encryption system"
    ],
    "packageName": "wolfssl",
    "platforms": [
      "Linux",
      "Windows",
      "64 bit",
      "32 bit"
    ],
    "product": "wolfCrypt",
    "programFiles": [
      "https://github.com/wolfSSL/wolfssl/blob/master/wolfcrypt/src/rsa.c"
    ],
    "programRoutines": [
      {
        "name": "RsaPrivateDecrypt"
      }
    ],
    "repo": "https://github.com/wolfSSL/wolfssl",
    "vendor": "WolfSSL",
    "versions": [
      {
        "lessThanOrEqual": "5.6.6",
        "status": "affected",
        "version": "0",
        "versionType": "git"
      }
    ]
  }
]