CVE-2024-13176

UNKNOWN

Published 2025-01-20T13:29:57.047Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-13176. We'll provide specific mitigation strategies based on your environment and risk profile.

CVSS Score

V3.1

4.1

/10

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Base Score Metrics

Exploitability: N/A Impact: N/A

EPSS Score

v2025.03.14

0.000

probability

of exploitation in the wild

There is a 0.0% chance that this vulnerability will be exploited in the wild within the next 30 days.

Updated: 2025-06-25

Exploit Probability

Percentile: 0.132

Higher than 13.2% of all CVEs

Attack Vector Metrics

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Impact Metrics

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Description

Issue summary: A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring
the timing would require either local access to the signing application or
a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the attacker
process must either be located in the same physical computer or must
have a very fast network connection with low latency. For that reason
the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

OpenSSL

Affected Versions:

3.4.0 3.3.0 3.2.0 3.1.0 3.0.0 1.1.1 1.0.2

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-r9fv-h47r-823f

Advisory Details

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-13176

WEB https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844

WEB https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467

WEB https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902

WEB https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65

WEB https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f

WEB https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded

WEB https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86

WEB https://lists.debian.org/debian-lts-announce/2025/05/msg00028.html

WEB https://openssl-library.org/news/secadv/20250120.txt

WEB https://security.netapp.com/advisory/ntap-20250124-0005

WEB https://security.netapp.com/advisory/ntap-20250418-0010

WEB http://www.openwall.com/lists/oss-security/2025/01/20/2

Advisory provided by GitHub Security Advisory Database. Published: January 20, 2025, Modified: May 26, 2025

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

1 post

Reddit • 3 weeks, 6 days ago

Ambitious-Stomach-30

New BIOS update for gen 9. Contains nothing important General Information: NKCN32WW: BIOS Notification : 1. Fixed 1) N/A. 2. Add 1) Add Microsoft 2023 Cert. 3. Modified 1) Enhancement to address security vulnerability CVE-2025-4275. 2) Enhancement to address security vulnerability CVE-2024-55567. 3) Enhancement to address security vulnerability CVE-2024-13176. 4) …

Also mentions: CVE-2024-55567 CVE-2025-4275 CVE-2024-38796

8.0

View Original