CVE-2024-25714
11.02.2024, 03:15
In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp, which has constant-time execution.)Enginsight
| Vendor | Product | Version |
|---|---|---|
| rhonabwy_project | rhonabwy | 𝑥 ≤ 1.1.3 |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 12.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-203 - Observable DiscrepancyThe product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
- CWE-1255 - Comparison Logic is Vulnerable to Power Side-Channel AttacksA device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.