平台
nvidia
组件
nvidia-gpu-display-driver
修复版本
17.4.1
CVE-2024-0117 represents a timing attack vulnerability discovered within the Crystals-Go library (github.com/kudelskisecurity/crystals-go). This flaw allows an attacker to potentially deduce secret keys by carefully measuring the time taken for cryptographic operations to complete. Successful exploitation could lead to unauthorized access to sensitive data. This vulnerability affects versions of Crystals-Go prior to 0.0.0-20240116172146-2a6ca2d4e64d, and a patched version is now available.
The core of this vulnerability lies in the implementation of Kyberslash, a post-quantum key encapsulation mechanism. The timing attack exploits subtle variations in execution time based on the secret key being used. An attacker can repeatedly initiate Kyberslash operations, measuring the time taken for each. By analyzing these timing differences, they can statistically infer information about the secret key. The impact is significant: successful key extraction grants the attacker the ability to decrypt previously encrypted data and potentially forge new encrypted communications. This could compromise the confidentiality and integrity of systems relying on Crystals-Go for cryptographic protection. While the attack requires careful measurement and statistical analysis, the potential for key compromise makes this a high-priority vulnerability to address.
CVE-2024-0117 was published on January 17, 2024. Its severity is rated as High (CVSS 7.5). There are currently no publicly available exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term. However, the potential for key compromise warrants prompt attention. Refer to the NVD entry (https://nvd.nist.gov/vuln/detail/CVE-2024-0117) for further details and updates.
漏洞利用状态
EPSS
0.16% (37% 百分位)
CVSS 向量
The primary mitigation for CVE-2024-0117 is to immediately upgrade to version 0.0.0-20240116172146-2a6ca2d4e64d or later. This patched version includes countermeasures to prevent the timing leak. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider implementing temporary workarounds. While no perfect workaround exists, careful code review and potentially adding random delays to cryptographic operations might obscure the timing variations, but this is not a substitute for patching. Monitor your systems for unusual timing patterns that could indicate an active attack. After upgrading, confirm the fix by running a series of Kyberslash operations and verifying that the execution times are consistent and do not reveal any timing-based information.
Actualice el controlador de la GPU NVIDIA a la última versión disponible desde el sitio web oficial de NVIDIA o a través de Windows Update. Esto solucionará la vulnerabilidad de lectura fuera de límites. Consulte el aviso de seguridad de NVIDIA para obtener más detalles e instrucciones específicas.
漏洞分析和关键警报直接发送到您的邮箱。
It's a high-severity timing attack vulnerability in the Crystals-Go library, potentially allowing attackers to extract secret keys used by Kyberslash.
If you are using Crystals-Go versions prior to 0.0.0-20240116172146-2a6ca2d4e64d, you are potentially affected by this vulnerability.
Upgrade to version 0.0.0-20240116172146-2a6ca2d4e64d or later to patch the timing attack vulnerability.
Currently, there are no publicly known exploits or active campaigns targeting CVE-2024-0117, but the potential for key compromise remains a concern.
Refer to the National Vulnerability Database (NVD) entry for CVE-2024-0117: https://nvd.nist.gov/vuln/detail/CVE-2024-0117