Plattform
nvidia
Komponente
nvidia-gpu-display-driver
Behoben in
17.4.1
CVE-2024-0117 describes a timing attack vulnerability within the Crystals-Go library, a Go implementation of post-quantum cryptography. This vulnerability allows attackers to potentially extract secret keys by analyzing the time taken to perform cryptographic operations. The vulnerability affects versions prior to 0.0.0-20240116172146-2a6ca2d4e64d. A fix has been released, and upgrading is the recommended course of action.
The Kyberslash timing attack, as described in CVE-2024-0117, allows an attacker to infer information about the secret key used in the Crystals-Kyber post-quantum key encapsulation mechanism. By repeatedly performing cryptographic operations and measuring the execution time, an attacker can statistically deduce the key bits. Successful exploitation could lead to the compromise of encrypted data and the potential for decryption of sensitive information protected by Crystals-Kyber. The impact is particularly severe as Crystals-Kyber is designed to provide long-term security against quantum computer attacks, making key compromise a significant concern.
CVE-2024-0117 was published on January 17, 2024. The vulnerability is related to the Kyberslash attack, a known timing attack against the Crystals-Kyber algorithm. Public proof-of-concept (POC) code is likely to emerge, increasing the risk of exploitation. The EPSS score is currently pending evaluation, but given the potential impact and the nature of timing attacks, a medium to high probability of exploitation is anticipated. Refer to the Kudelskisecurity advisory for further details.
Exploit-Status
EPSS
0.16% (37% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2024-0117 is to upgrade to version 0.0.0-20240116172146-2a6ca2d4e64d or later. If upgrading is not immediately feasible, consider implementing rate limiting on cryptographic operations to obscure timing variations. While not a complete solution, this can raise the bar for attackers. Monitor system logs for unusual timing patterns or repeated cryptographic operation attempts. After upgrading, confirm the fix by performing benchmark tests of the cryptographic functions to ensure consistent execution times.
Actualice el controlador de la GPU NVIDIA a la última versión disponible desde el sitio web oficial de NVIDIA o a través de Windows Update. Esto solucionará la vulnerabilidad de lectura fuera de límites. Consulte el aviso de seguridad de NVIDIA para obtener más detalles e instrucciones específicas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a high-severity timing attack vulnerability in the Crystals-Go library, potentially allowing attackers to extract secret keys used by Kyberslash.
If you are using Crystals-Go versions prior to 0.0.0-20240116172146-2a6ca2d4e64d, you are potentially affected by this vulnerability.
Upgrade to version 0.0.0-20240116172146-2a6ca2d4e64d or later to patch the timing attack vulnerability.
Currently, there are no publicly known exploits or active campaigns targeting CVE-2024-0117, but the potential for key compromise remains a concern.
Refer to the National Vulnerability Database (NVD) entry for CVE-2024-0117: https://nvd.nist.gov/vuln/detail/CVE-2024-0117
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.