Lucene search

[email protected]NVD:CVE-2023-24609

HistoryDec 22, 2023 - 4:15 a.m.

CVE-2023-24609

2023-12-2204:15:08

CWE-190

[email protected]

web.nvd.nist.gov

cve-2023-24609

length-subtraction integer overflow

client hello pre-shared key

sha-2 hash

crafted tls messages

cpu overload

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

12.6%

JSON

Matrix SSL 4.x through 4.6.0 and Rambus TLS Toolkit have a length-subtraction integer overflow for Client Hello Pre-Shared Key extension parsing in the TLS 1.3 server. An attacked device calculates an SHA-2 hash over at least 65 KB (in RAM). With a large number of crafted TLS messages, the CPU becomes heavily loaded. This occurs in tls13VerifyBinder and tls13TranscriptHashUpdate.

Affected configurations

NVD

Node

matrixsslmatrixsslRange4.0.0–4.6.0

Node

rambustls_toolkitMatch-

References

www.rambus.com/security/software-protocols/tls-toolkit/

www.telekom.com/en/company/data-privacy-and-security/news/advisories-504842

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

12.6%

JSON

Related for NVD:CVE-2023-24609

ubuntucve1 cve1 prion1 cvelist1