Rhonabwy up to 1.1.13 HMAC strcmp signature verification
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 7.1 | $0-$5k | 0.00 |
Summary
A vulnerability labeled as problematic has been found in Rhonabwy up to 1.1.13. Affected by this vulnerability is the function strcmp of the component HMAC Handler. Executing a manipulation can lead to signature verification.
This vulnerability is handled as CVE-2024-25714. There is not any exploit available.
It is advisable to implement a patch to correct this issue.
Details
A vulnerability classified as problematic was found in Rhonabwy up to 1.1.13. This vulnerability affects the function strcmp of the component HMAC Handler. The manipulation with an unknown input leads to a signature verification vulnerability. The CWE definition for the vulnerability is CWE-347. The product does not verify, or incorrectly verifies, the cryptographic signature for data. As an impact it is known to affect confidentiality. CVE summarizes:
In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp, which has constant-time execution.)
The weakness was released 02/11/2024 as f9fd9a1c77e48b514ebb3baf0360f87eef3d846e. The advisory is shared for download at github.com. This vulnerability was named CVE-2024-25714 since 02/11/2024. There are known technical details, but no exploit is available.
Applying the patch f9fd9a1c77e48b514ebb3baf0360f87eef3d846e is able to eliminate this problem. The bugfix is ready for download at github.com.
Once again VulDB remains the best source for vulnerability data.
Product
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.2VulDB Meta Temp Score: 7.1
VulDB Base Score: 2.6
VulDB Temp Score: 2.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 9.8
NVD Vector: 🔍
CNA Base Score: 9.1
CNA Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Signature verificationCWE: CWE-347 / CWE-345
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Patch: f9fd9a1c77e48b514ebb3baf0360f87eef3d846e
Timeline
02/11/2024 🔍02/11/2024 🔍
02/11/2024 🔍
10/18/2024 🔍
Sources
Advisory: f9fd9a1c77e48b514ebb3baf0360f87eef3d846eStatus: Confirmed
CVE: CVE-2024-25714 (🔍)
GCVE (CVE): GCVE-0-2024-25714
GCVE (VulDB): GCVE-100-253396
Entry
Created: 02/11/2024 09:25Updated: 10/18/2024 17:58
Changes: 02/11/2024 09:25 (41), 08/02/2024 12:53 (27), 10/18/2024 17:58 (11)
Complete: 🔍
Cache ID: 216::103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.