CVE-2023-46324

Published: Oct 23, 2023Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

pkg/suci/suci.go in free5GC udm before 1.2.0, when Go before 1.19 is used, allows an Invalid Curve Attack because it may compute a shared secret via an uncompressed public key that has not been validated. An attacker can send arbitrary SUCIs to the UDM, which tries to decrypt them via both its private key and the attacker's public key.

Affected (1)

Products: Free5gc: Udm

1 product

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Free5gc Udm	Before 1.2.0

Running on/with	Platform Versions
Golang Go	Before 1.19

Related CWEs

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (6)

https://github.com/free5gc/udm/compare/v1.1.1...v1.2.0

Source: cve@mitre.org

Product

https://github.com/free5gc/udm/pull/20

Source: cve@mitre.org

PatchThird Party Advisory

https://www.gsma.com/security/wp-content/uploads/2023/10/0073-invalid_curve.pdf

Source: cve@mitre.org

https://github.com/free5gc/udm/compare/v1.1.1...v1.2.0

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://github.com/free5gc/udm/pull/20

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.gsma.com/security/wp-content/uploads/2023/10/0073-invalid_curve.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.