CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
9.5%
Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | wolfssl | <= 5.5.4-2+deb12u1 | wolfssl_5.5.4-2+deb12u1_all.deb |
Debian | 11 | all | wolfssl | <= 4.6.0+p1-0+deb11u2 | wolfssl_4.6.0+p1-0+deb11u2_all.deb |
Debian | 999 | all | wolfssl | <= 5.7.0-0.3 | wolfssl_5.7.0-0.3_all.deb |
Debian | 13 | all | wolfssl | <= 5.7.0-0.3 | wolfssl_5.7.0-0.3_all.deb |