Out-of-Bound Memory Reads or Writes in Low-Level GF(2^m) Elliptic Curve APIs
CVE-2024-9143
Key Information:
Badges
What is CVE-2024-9143?
An issue exists with the low-level GF(2^m) elliptic curve APIs in OpenSSL, where the use of untrusted explicit values for the field polynomial may result in out-of-bounds memory reads or writes. This vulnerability can lead to application crashes and has the potential for remote code execution in specific circumstances. The impact is generally low due to the limited support for 'exotic' curve parameters in typical use cases of Elliptic Curve Cryptography (ECC). Most protocols leveraging ECC rely on named curves or X9.62 encoded binary curves that negate the possibility of invalid input values. The affected APIs, including EC_GROUP_new_curve_GF2m() and EC_GROUP_new_from_params(), are particularly relevant for applications manipulating 'exotic' binary curve parameters that could instantiate invalid field polynomials. However, the FIPS modules in versions 3.3, 3.2, 3.1, and 3.0 remain unaffected.
Affected Version(s)
OpenSSL 3.3.0 < 3.3.3
OpenSSL 3.2.0 < 3.2.4
OpenSSL 3.1.0 < 3.1.8
News Articles
ForbesCVE-2024-9143Google Confirms Critical Security Flaw Using AI
Google’s security team has uncovered a two-decades old critical open-source vulnerability which would have continued to be hidden without the help of AI.
ForbesCVE-2024-9143Google Confirms Critical Security Flaw Using AI
Google’s security team has uncovered a two-decades old critical open-source vulnerability which would have continued to be hidden without the help of AI.
References
CVSS V3.1
Timeline
- 👾
Exploit known to exist
- 📰
First article discovered by Forbes
Vulnerability published