Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
4.7
CVSSv3

CVE-2023-25000

Published: 30/03/2023 Updated: 26/05/2023
CVSS v3 Base Score: 4.7 | Impact Score: 3.6 | Exploitability Score: 1
VMScore: 0
Subscribe to Vault

Vulnerability Summary

HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. Fixed in Vault 1.13.1, 1.12.5, and 1.11.9.

Vulnerable Product Search on Vulmon Subscribe to Product

hashicorp vault

Vendor Advisories

Red Hat: Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update
Synopsis Important: Red Hat OpenShift Data Foundation 4130 security and bug fix update Type/Severity Security Advisory: Important Topic Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4130 on Red Hat Enterprise Linux 9Red Hat ...
Red Hat:
DescriptionThe MITRE CVE dictionary describes this issue as: HashiCorp Vault's implementation of Shamir's secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space ...

Github Repositories

https://github.com/wavefnx/shamirs

A cryptographic library for splitting and reconstructing secrets using Shamir's Secret Sharing.

ShamiRS Overview | Disclaimer | Security | Acknowledgments | Tests | Installation | Usage | Examples | License Overview ShamiRS (shamir-rs) utilizes Sharmir's Secret Sharing, a cryptographic method for dividing a secret into multiple shares In this context, the secret is represented as a polynomial in Galois Field GF(2^8) where each share corresponds to a point

References

CWE-203https://discuss.hashicorp.com/t/hcsec-2023-10-vault-vulnerable-to-cache-timing-attacks-during-seal-and-unseal-operations/52078https://security.netapp.com/advisory/ntap-20230526-0008/https://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2023:3742https://github.com/wavefnx/shamirshttps://access.redhat.com/security/cve/cve-2023-25000
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-21991CVE-2024-32674path traversalCVE-2023-21987denial of servicedosCVE-2024-4647CVE-2024-25519CVE-2024-33612
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook