CVE-2024-23342 Timing Attack

Question

CVE-2024-23342 Timing Attack

yaronbenezra opened this issue 2 years ago · 6 comments

Hello,

SNYK and other scanning tools alerts on package vulnerability ( Timing Attack ) found at "sign_digest" API function.
( ecdsa.SigningKey.sign_digest() )

https://www.cve.org/CVERecord?id=CVE-2024-23342( HIGH Alert)

Can you address when you are going to fix this?

Regards,
Yaron

Answer 1 · 2024-01-24T17:47:58.000Z

We are also interesting is the ETA for the fix

Answer 2 · 2024-01-24T18:47:01.000Z

as stated in the vulnerability release GHSA-wj6h-64fc-37mp and as stated in the security policy timing attacks are outside the scope of the project.

If you need an implementation that is safe against side-channel attacks, I recommend using https://github.com/pyca/cryptography

It's a won't fix.

Answer 3 · 2024-02-13T10:29:22.000Z

Hi @tomato42, can you give more details on what you mean by "timing attacks are outside the scope of the project."? Does it mean that ecdsa is not affected or just that resolving that vulnerability is responsibility of the users of ecdsa? Thanks

Answer 4 · 2024-02-13T13:18:08.000Z

@dlpzx I mean that Python doesn't provide the primitives that are side-channel free, so it's impossible to build a side-channel free implementation on top of them. To actually fix it, it would require implementing the whole operation in C, which is a non-goal for the library (as it won't be a pure-python any more)