CVE-2024-50382 in Botan
Summary
by MITRE • 10/23/2024
Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/31/2024
This vulnerability exists in the Botan cryptographic library version 3.6.0 and earlier, specifically affecting builds compiled with certain versions of LLVM including Clang 15 on RISC-V architectures. The issue stems from compiler-induced secret-dependent control flow patterns that manifest in the GHASH implementation within the AES-GCM authenticated encryption mode. The flaw occurs in the lib/utils/ghash/ghash.cpp file where a conditional branch is introduced instead of an XOR operation with carry, creating a timing side-channel that could potentially leak cryptographic secrets.
The technical root cause lies in how the LLVM compiler optimizes the GHASH function implementation, particularly when targeting RISC-V architectures with Clang 15. This optimization results in conditional execution paths that depend on secret data values, violating the fundamental principle of constant-time execution that cryptographic implementations must maintain. The vulnerability specifically affects the carry propagation logic within the GHASH computation where the compiler generates code that branches based on the values of secret data, creating observable timing differences that can be exploited by attackers.
The operational impact of this vulnerability is significant for systems relying on Botan's AES-GCM implementation, particularly those deployed in environments where timing attacks are a concern. An attacker could potentially reconstruct secret keys or other sensitive cryptographic material through careful timing analysis of the GHASH operations. This vulnerability affects the security guarantees of authenticated encryption, as the timing variations could be amplified through cache timing attacks or other side-channel methodologies. The issue is particularly concerning in environments where the same cryptographic operations are performed repeatedly with different secret data.
Mitigation strategies include upgrading to Botan version 3.6.0 or later, which contains fixes for this compiler-induced control flow issue. Organizations should also consider using different compiler versions or optimization levels that do not trigger the problematic code generation patterns. The fix addresses the underlying compiler optimization issue by ensuring that the GHASH implementation maintains constant-time execution characteristics regardless of input data values. Additionally, system administrators should monitor for any custom build configurations that might use LLVM 15 or similar versions on RISC-V platforms that could reproduce this vulnerability.
This vulnerability aligns with CWE-388, which covers the use of error handling mechanisms that can be exploited for timing attacks, and relates to ATT&CK technique T1059.001 for compiler-based attacks. The issue demonstrates how modern compiler optimizations can inadvertently introduce security weaknesses in cryptographic implementations, highlighting the importance of thorough security testing across different compilation environments and target architectures. The vulnerability represents a specific case of compiler-induced side-channels that can undermine the security properties of well-designed cryptographic algorithms through implementation-level flaws rather than fundamental algorithmic weaknesses.