CVE-2024-11862
UNKNOWN
Published 2024-11-27T14:35:01.734Z
Actions:
Expert Analysis
Professional remediation guidance
Get tailored security recommendations from our analyst team for CVE-2024-11862. We'll provide specific mitigation strategies based on your environment and risk profile.
No CVSS data available
Description
Non constant time cryptographic operation in Devolutions.XTS.NET 2024.11.19 and earlier allows an attacker to render half of the encryption key obsolete via a timing attacks
Available Exploits
No exploits available for this CVE.
Related News
No news articles found for this CVE.
Affected Products
Affected Versions:
GitHub Security Advisories
Community-driven vulnerability intelligence from GitHub
✓ GitHub Reviewed
MODERATE
Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications
GHSA-j6vm-4r7g-x4grAdvisory Details
### Impact
Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering half of the XTS key obsolete. Timing attacks require specific conditions to be exploitable.
### Patches
Patched in 2024.11.26
### Workarounds
Upgrade the package
### References
https://en.wikipedia.org/wiki/Timing_attack
Affected Packages
NuGet
Devolutions.XTS.NET
ECOSYSTEM:
≥0
<2024.11.26
CVSS Scoring
CVSS Score
5.0
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
References
Advisory provided by GitHub Security Advisory Database. Published: November 27, 2024, Modified: November 27, 2024
Published: 2024-11-27T14:35:01.734Z
Last Modified: 2024-11-27T14:53:57.448Z
Copied to clipboard!