CVE-2024-1544

Name of the Vulnerable Software and Affected Versions WolfSSL (affected versions not specified)

Description The issue is related to the generation of the ECDSA nonce k, where a random number r is selected and then reduced modulo n, the order of the elliptic curve. The division used during the reduction estimates a factor q e by dividing the upper two digits of r by the upper digit of n and then decrements q e in a loop until it has the correct size. Observing the number of times q e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve, this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, a bias of 15 bits is found.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.