CVE-2024-5814

2024-08-2719:15:17

Debian Security Bug Tracker

security-tracker.debian.org

tls1.2

tls1.3

ciphersuite

server hello

parsing

unix

CVSS4

5.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

ACTIVE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/SC:N/VI:N/SI:N/VA:N/SA:N/AU:Y/U:Green/V:D/RE:M

AI Score

6.9

Confidence

Low

EPSS

Percentile

9.5%

JSON

A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500

OSVersionArchitecturePackageVersionFilename
Debian12allwolfssl<= 5.5.4-2+deb12u1wolfssl_5.5.4-2+deb12u1_all.deb
Debian11allwolfssl<= 4.6.0+p1-0+deb11u2wolfssl_4.6.0+p1-0+deb11u2_all.deb
Debian999allwolfssl<= 5.7.0-0.3wolfssl_5.7.0-0.3_all.deb
Debian13allwolfssl<= 5.7.0-0.3wolfssl_5.7.0-0.3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	wolfssl	<= 5.5.4-2+deb12u1	wolfssl_5.5.4-2+deb12u1_all.deb
Debian	11	all	wolfssl	<= 4.6.0+p1-0+deb11u2	wolfssl_4.6.0+p1-0+deb11u2_all.deb
Debian	999	all	wolfssl	<= 5.7.0-0.3	wolfssl_5.7.0-0.3_all.deb
Debian	13	all	wolfssl	<= 5.7.0-0.3	wolfssl_5.7.0-0.3_all.deb