CVE-2024-26317

In illumos illumos-gate 2024-02-15, an error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates, causing the algorithm to yield a result of POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://drive.google.com/file/d/1aGLAFz20-fc7ZLiWouegyK_65jCkGTDb/view?usp=sharing
https://github.com/illumos/illumos-gate
https://rashidkhanpathan.github.io/posts/CVE-2024-26317-Elliptic-curve-point-addition-error/

Configurations

No configuration.

History

28 Jan 2025, 20:15

Type	Values Removed	Values Added
CWE		CWE-327
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
Summary		(es) En illumos illumos-gate 2024-02-15, se produce un error en el algoritmo de suma de puntos de curva elíptica que utiliza coordenadas afines a jacobianas mixtas, lo que hace que el algoritmo arroje un resultado de POINT_AT_INFINITY cuando no debería. Un atacante intermediario podría utilizar esto para interferir en una conexión, lo que provocaría que la parte atacada calcule un secreto compartido incorrecto.

27 Jan 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-27 18:15

Updated : 2025-01-28 20:15

NVD link : CVE-2024-26317

Mitre link : CVE-2024-26317

CVE.ORG link : CVE-2024-26317

JSON object : View

Products Affected

No product.

CWE

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

6.1 /10