421 – Insecure encryption algorithm - Insecure Elliptic Curve

Description

The system makes use of weak elliptic curves.

Impact

- Produce incorrect results for some unusual curve points - Expose secret data when the input is not a curve point - Expose secret data through branch synchronization - Expose secret data through cache synchronization

Recommendation

Ensure that the curves used are safe for both ECDLP and ECC in general.

Threat

Unauthenticated attacker from the Internet.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: H
• Attack Requirements: N
• Privileges required: N
• User interaction: P
• Confidentiality (VC): L
• Integrity (VI): L
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: U

Requirements

• 148 - Set minimum size of asymmetric encryption
• 150 - Set minimum size for hash functions

Fixes

• Csharp
• Dart
• Elixir
• Go
• Java
• Php
• Python
• Ruby
• Scala
• Swift
• Typescript

Last updated

2024/02/21