CVE-2023-24609

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Dec 22, 2023

Updated: Jan 3, 2024

CWE ID 190

Summary

CVE-2023-24609: A serious vulnerability impacts Matrix SSL 4.x through 4.6.0 and Rambus TLS Toolkit. The TLS 1.3 server experiences a length-subtraction integer overflow during Client Hello Pre-Shared Key extension parsing, specifically in the functions tls13VerifyBinder and tls13TranscriptHashUpdate. Malicious actors can exploit this flaw by sending a large number of crafted TLS messages, causing an SHA-2 hash calculation of over 65 KB in RAM. The heavy CPU load resulting from this process can potentially lead to system instability or denial of service.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

MatrixSSL

Affected Vendors

Matrixssl

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/t4vCMF
https://www.cve.org/CVERecord?id=CVE-2023-24609
https://nvd.nist.gov/vuln/detail/CVE-2023-24609

Back to Vulnerability Database