Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2021-20305

Опубликовано: 05 апр. 2021
Источник: debian
EPSS Низкий

Описание

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
nettlefixed3.7.2-1package

Примечания

  • https://lists.lysator.liu.se/pipermail/nettle-bugs/2021/009457.html

  • New functions ecc_mod_mul_canonical and ecc_mod_sqr_canonical:

  • https://git.lysator.liu.se/nettle/nettle/-/commit/a63893791280d441c713293491da97c79c0950fe

  • Use ecc_mod_mul_canonical for point comparison:

  • https://git.lysator.liu.se/nettle/nettle/-/commit/971bed6ab4b27014eb23085e8176917e1a096fd5

  • Fix bug in ecc_ecdsa_verify:

  • https://git.lysator.liu.se/nettle/nettle/-/commit/74ee0e82b6891e090f20723750faeb19064e31b2

  • Ensure ecdsa_sign output is canonically reduced:

  • https://git.lysator.liu.se/nettle/nettle/-/commit/51f643eee00e2caa65c8a2f5857f49acdf3ef1ce

  • Analogous fix to ecc_gostdsa_verify:

  • https://git.lysator.liu.se/nettle/nettle/-/commit/401c8d53d8a8cf1e79980e62bda3f946f8e07c14

  • Similar fix for eddsa:

  • https://git.lysator.liu.se/nettle/nettle/-/commit/ae3801a0e5cce276c270973214385c86048d5f7b

  • Fix canonical reduction in gostdsa_vko:

  • https://git.lysator.liu.se/nettle/nettle/-/commit/63f222c60b03470c0005aa9bc4296fbf585f68b9

EPSS

Процентиль: 39%
0.00176
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2021-20305

CVSS3: 8.1
ubuntu
почти 5 лет назад

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

redhat логотип

CVE-2021-20305

CVSS3: 8.1
redhat
почти 5 лет назад

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

nvd логотип

CVE-2021-20305

CVSS3: 8.1
nvd
почти 5 лет назад

A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.

msrc логотип

CVE-2021-20305

CVSS3: 8.1
msrc
почти 5 лет назад

Описание отсутствует

suse-cvrf логотип

openSUSE-SU-2021:0635-1

suse-cvrf
почти 5 лет назад

Security update for libnettle

EPSS

Процентиль: 39%
0.00176
Низкий