Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qNnZtLTRyN2cteDRncs4ABB4Y
Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications
Impact
Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering half of the XTS key obsolete. Timing attacks require specific conditions to be exploitable.
Patches
Patched in 2024.11.26
Workarounds
Upgrade the package
References
https://en.wikipedia.org/wiki/Timing_attack
Permalink: https://github.com/advisories/GHSA-j6vm-4r7g-x4grJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNnZtLTRyN2cteDRncs4ABB4Y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 13 days ago
Updated: 13 days ago
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-j6vm-4r7g-x4gr, CVE-2024-11862
References:
- https://github.com/Devolutions/XTS.NET/security/advisories/GHSA-j6vm-4r7g-x4gr
- https://nvd.nist.gov/vuln/detail/CVE-2024-11862
- https://github.com/Devolutions/XTS.NET/commit/fb349d5bfb587218e8603b38ea37f03f036b57fd
- https://github.com/advisories/GHSA-j6vm-4r7g-x4gr
Blast Radius: 1.0
Affected Packages
nuget:Devolutions.XTS.NET
Dependent packages: 0Dependent repositories: 0
Downloads: 172 total
Affected Version Ranges: < 2024.11.26
Fixed in: 2024.11.26
All affected versions: 2024.11.19
All unaffected versions: 2024.11.26