2.4 KiB
CVE-2024-9143
Description
Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrustedexplicit values for the field polynomial can lead to out-of-bounds memory readsor writes.Impact summary: Out of bound memory writes can lead to an application crash oreven a possibility of a remote code execution, however, in all the protocolsinvolving Elliptic Curve Cryptography that we're aware of, either only "namedcurves" are supported, or, if explicit curve parameters are supported, theyspecify an X9.62 encoding of binary (GF(2^m)) curves that can't representproblematic input values. Thus the likelihood of existence of a vulnerableapplication is low.In particular, the X9.62 encoding is used for ECC keys in X.509 certificates,so problematic inputs cannot occur in the context of processing X.509certificates. Any problematic use-cases would have to be using an "exotic"curve encoding.The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(),and various supporting BN_GF2m_*() functions.Applications working with "exotic" explicit binary (GF(2^m)) curve parameters,that make it possible to represent invalid field polynomials with a zeroconstant term, via the above or similar APIs, may terminate abruptly as aresult of reading or writing outside of array bounds. Remote code executioncannot easily be ruled out.The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
POC
Reference
No PoCs from references.
Github
- https://github.com/Jidendiran-coder/trivy-grafana-alert-system
- https://github.com/SnoopyComp/FuzzGen_timestamp
- https://github.com/SnoopyComp/fuzzGen_cov
- https://github.com/XXRadeonXFX/trivy-grafana-ai-alert-automation
- https://github.com/adegoodyer/kubernetes-admin-toolkit
- https://github.com/ardhiatno/ubimicro-fluentbit
- https://github.com/barolab/link-fetcher
- https://github.com/google/oss-fuzz-gen
- https://github.com/lgturatti/techdrops
- https://github.com/suddenabnormalsecrets/oss-fuzz-gen
- https://github.com/thirumalai-py/trivy-grafana-ai-alert