PT-2023-20725 · Unknown · Bnb-Chain/Tss-Lib+3
Published
2023-04-21
·
Updated
2023-07-11
·
CVE-2023-26556
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
io.finnet tss-lib versions prior to 2.0.0
bnb-chain/tss-lib versions prior to 2.0.0
thorchain/tss versions prior to 2.0.0
Description
The issue is related to a timing side-channel attack that can leak a secret key. This occurs because the scalar-multiplication implementation in Go crypto/elliptic is not constant time, due to an if statement in a loop. One of the leaks is located in ecdsa/keygen/round 2.go.
Recommendations
For io.finnet tss-lib versions prior to 2.0.0, update to version 2.0.0 or later.
For bnb-chain/tss-lib versions prior to 2.0.0, update to version 2.0.0 or later.
For thorchain/tss versions prior to 2.0.0, update to version 2.0.0 or later.
Fix
Side Channel Attack
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Go Crypto/Elliptic
Bnb-Chain/Tss-Lib
Io.Finnet Tss-Lib
Thorchain/Tss