CVE-2024-1544

Publication date 27 August 2024

Last updated 11 July 2025


Ubuntu priority

Cvss 3 Severity Score

4.1 · Medium

Score breakdown

Generating the ECDSA nonce k samples a random number r and then truncates this randomness with a modular reduction mod n where n is the order of the elliptic curve. Meaning k = r mod n. The division used during the reduction estimates a factor q_e by dividing the upper two digits (a digit having e.g. a size of 8 byte) of r by the upper digit of n and then decrements q_e in a loop until it has the correct size. Observing the number of times q_e is decremented through a control-flow revealing side-channel reveals a bias in the most significant bits of k. Depending on the curve this is either a negligible bias or a significant bias large enough to reconstruct k with lattice reduction methods. For SECP160R1, e.g., we find a bias of 15 bits.

Status

Package Ubuntu Release Status
wolfssl 25.04 plucky
Needs evaluation
24.10 oracular Ignored end of life, was needs-triage
24.04 LTS noble
Needs evaluation
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation

Severity score breakdown

Parameter Value
Base score 4.1 · Medium
Attack vector Local
Attack complexity High
Privileges required High
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N