Main Vulnerability Database SB2024103162

SB2024103162 - Improper verification of cryptographic signature in Elliptic

Published: October 31, 2024

Security Bulletin ID SB2024103162

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper verification of cryptographic signature (CVE-ID: CVE-2024-48948)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect validation of valid signatures if the hash contains at least four leading 0 bytes and when the order of the elliptic curve's base point is smaller than the hash, because of an _truncateToN anomaly. Such behavior leads to valid signatures being rejected.

Remediation

Install update from vendor's website.

References

https://github.com/indutny/elliptic/pull/322
https://github.com/indutny/elliptic/issues/321
https://github.com/advisories/GHSA-fc9h-whq2-v747