logo

Database

Security controls bypass or absence In devolutions.xts.net

Description

Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications

Impact

Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering half of the XTS key obsolete. Timing attacks require specific conditions to be exploitable.

Patches

Patched in 2024.11.26

Workarounds

Upgrade the package

References

https://en.wikipedia.org/wiki/Timing_attack

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-118622. NVD-2024-118623. OSV-2024-118624. GHSA-j6vm-4r7g-x4gr5. GCVE-2024-11862

References

1. https://github.com/Devolutions/XTS.NET/security/advisories/GHSA-j6vm-4r7g-x4gr2. https://github.com/Devolutions/XTS.NET/commit/fb349d5bfb587218e8603b38ea37f03f036b57fd

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.