Compiler-Induced Control Flow Vulnerability in Botan by Randombit
CVE-2024-50382

5.9MEDIUM

Key Information:

Vendor: Randombit
Status: Botan
Vendor: CVE Published:; 23 October 2024

What is CVE-2024-50382?

Botan versions prior to 3.6.0 exhibit a vulnerability due to certain LLVM compiler versions, specifically impacting the GHASH implementation in AES-GCM. This vulnerability manifests as a secret-dependent control flow flaw in the 'lib/utils/ghash/ghash.cpp' file, which compromises the expected behavior of cryptographic operations. This issue particularly arises when using Clang in LLVM 15 on a RISC-V architecture, leading to erroneous branching instead of the required XOR operation with carry, potentially undermining the security of cryptographic processes.

References

https://github.com/randombit/botan/commit/53b0cfde580e86b...

https://github.com/randombit/botan/compare/3.5.0...3.6.0

https://arxiv.org/pdf/2410.13489

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 23, 2024

CVE-2024-50382 Data

JSON