Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qNnZtLTRyN2cteDRncs4ABB4Y

Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications

Impact

Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering half of the XTS key obsolete. Timing attacks require specific conditions to be exploitable.

Patches

Patched in 2024.11.26

Workarounds

Upgrade the package

References

https://en.wikipedia.org/wiki/Timing_attack

Permalink: https://github.com/advisories/GHSA-j6vm-4r7g-x4gr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNnZtLTRyN2cteDRncs4ABB4Y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 13 days ago
Updated: 13 days ago


EPSS Percentage: 0.00043
EPSS Percentile: 0.10511

Identifiers: GHSA-j6vm-4r7g-x4gr, CVE-2024-11862
References: Repository: https://github.com/Devolutions/XTS.NET
Blast Radius: 1.0

Affected Packages

nuget:Devolutions.XTS.NET
Dependent packages: 0
Dependent repositories: 0
Downloads: 172 total
Affected Version Ranges: < 2024.11.26
Fixed in: 2024.11.26
All affected versions: 2024.11.19
All unaffected versions: 2024.11.26