CVE-2022-24884 — CRITICAL (10.0)

Q: How severe is CVE-2022-24884?

CVE-2022-24884 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2022-24884?

Check the references section above for vendor advisories and patch information. Affected products include: Ecdsautils Project Ecdsautils, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.

CVSS Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Ecdsautils Project	Ecdsautils	< 0.4.1
Fedoraproject	Fedora	34
Debian	Debian Linux	9.0

Related Weaknesses (CWE)

CWE-347

References

https://github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b9PatchThird Party Advisory
https://github.com/freifunk-gluon/ecdsautils/commit/39b6d0a77414fd41614953a0e185PatchThird Party Advisory
https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00007.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.debian.org/security/2022/dsa-5132Third Party Advisory
https://github.com/freifunk-gluon/ecdsautils/commit/1d4b091abdf15ad7b2312535b5b9PatchThird Party Advisory
https://github.com/freifunk-gluon/ecdsautils/commit/39b6d0a77414fd41614953a0e185PatchThird Party Advisory
https://github.com/freifunk-gluon/ecdsautils/security/advisories/GHSA-qhcg-9ffp-Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00007.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro

FAQ

What is CVE-2022-24884?

CVE-2022-24884 is a vulnerability with a CVSS score of 10.0 (CRITICAL). ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature c...

How severe is CVE-2022-24884?

CVE-2022-24884 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2022-24884?

Check the references section above for vendor advisories and patch information. Affected products include: Ecdsautils Project Ecdsautils, Fedoraproject Fedora, Debian Debian Linux.