First published: Sat Oct 15 2022(Updated: )
An issue was discovered in wolfSSL before 5.5.0. A fault injection attack on RAM via Rowhammer leads to ECDSA key disclosure. Users performing signing operations with private ECC keys, such as in server-side TLS connections, might leak faulty ECC signatures. These signatures can be processed via an advanced technique for ECDSA key recovery. (In 5.5.0 and later, WOLFSSL_CHECK_SIG_FAULTS can be used to address the vulnerability.)
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
WolfSSL wolfssl | <5.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue in wolfSSL is CVE-2022-42961.
CVE-2022-42961 has a severity rating of medium with a value of 5.3.
The affected software for CVE-2022-42961 is wolfSSL versions up to but not including 5.5.0.
The vulnerability in wolfSSL allows for a fault injection attack on RAM via Rowhammer, which can lead to ECDSA key disclosure.
To fix the vulnerability in wolfSSL, update to version 5.5.0 or later.