Cyber Resilience

CVE-2022-24884

Critical

Published: 06 May 2022

Published
06 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0012 31.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24884 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Fedoraproject Fedora. Its CVSS base score is 10.0 (Critical).

Operationally, ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

ecdsautils is a tiny collection of programs used for ECDSA (keygen, sign, verify). `ecdsa_verify_[prepare_]legacy()` does not check whether the signature values `r` and `s` are non-zero. A signature consisting only of zeroes is always considered valid, making it trivial to…

more

forge signatures. Requiring multiple signatures from different public keys does not mitigate the issue: `ecdsa_verify_list_legacy()` will accept an arbitrary number of such forged signatures. Both the `ecdsautil verify` CLI command and the libecdsautil library are affected. The issue has been fixed in ecdsautils 0.4.1. All older versions of ecdsautils (including versions before the split into a library and a CLI utility) are vulnerable.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

ecdsautils project
ecdsautils
≤ 0.4.1
fedoraproject
fedora
34, 35, 36
debian
debian linux
10.0, 11.0, 9.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-347

Requires verification of digital signatures using organization-approved certificates before installation, directly preventing improper verification of cryptographic signatures.

addresses: CWE-347

Component authenticity commonly depends on cryptographic signatures; the control enforces proper verification of those signatures.

addresses: CWE-347

PKI certificates under an approved policy require cryptographic signature verification on issuance and validation.

addresses: CWE-347

Requires cryptographic signatures on authoritative data and support for verifying the chain of trust.

addresses: CWE-347

Mandates verification of cryptographic signatures (e.g., DNSSEC RRSIG) on resolution responses, addressing missing or bypassed signature checks.

addresses: CWE-347

Integrity tools commonly rely on cryptographic signatures whose improper validation this weakness covers.

addresses: CWE-347

Authenticity validation commonly relies on cryptographic signature or certificate checks that this control enforces.

References