openCryptoki Private Key C_CreateObject/C_DeriveKey information disclosure
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.0 | $0-$5k | 0.00 |
Summary
A vulnerability was found in openCryptoki and classified as problematic. Affected by this vulnerability is the function C_CreateObject/C_DeriveKey of the component Private Key Handler. Executing a manipulation can lead to information disclosure.
The identification of this vulnerability is CVE-2021-3798. There is no exploit available.
Applying a patch is advised to resolve this issue.
Details
A vulnerability classified as problematic was found in openCryptoki (the affected version is unknown). This vulnerability affects the function C_CreateObject/C_DeriveKey of the component Private Key Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. CVE summarizes:
A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.
The weakness was shared 08/24/2022. The advisory is shared for download at github.com. This vulnerability was named CVE-2021-3798 since 09/13/2021. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1592.
Applying the patch 4e3b43c3d8844402c04a66b55c6c940f965109f0 is able to eliminate this problem. The bugfix is ready for download at github.com.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Product
Name
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.0VulDB Meta Temp Score: 4.0
VulDB Base Score: 2.6
VulDB Temp Score: 2.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Information disclosureCWE: CWE-200 / CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: 4e3b43c3d8844402c04a66b55c6c940f965109f0
Timeline
09/13/2021 🔍08/24/2022 🔍
08/24/2022 🔍
09/25/2022 🔍
Sources
Product: github.comAdvisory: 4e3b43c3d8844402c04a66b55c6c940f965109f0
Status: Confirmed
CVE: CVE-2021-3798 (🔍)
GCVE (CVE): GCVE-0-2021-3798
GCVE (VulDB): GCVE-100-207064
Entry
Created: 08/24/2022 09:14Updated: 09/25/2022 09:27
Changes: 08/24/2022 09:14 (40), 09/25/2022 09:23 (1), 09/25/2022 09:27 (11)
Complete: 🔍
Cache ID: 216::103
VulDB is the best source for vulnerability data and more expert information about this specific topic.
No comments yet. Languages: en.
Please log in to comment.