Cyber Resilience

CVE-2023-33242

CriticalPublic PoC

Published: 09 August 2023

Published
09 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0590 90.8th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-33242 is a critical-severity Injection (CWE-74) vulnerability in Lindell17 Project Lindell17. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Crypto wallets implementing the Lindell17 threshold signature scheme for ECDSA key generation and signing are affected by CVE-2023-33242. The flaw stems from implementations that fail to follow the abort-handling assumption required by the original security proof in the Lindell17 paper, enabling an attacker to obtain one bit of the private key per signature attempt.

An attacker participating in the multi-party signing protocol can repeatedly trigger signature failures and exfiltrate a single bit of information each time. After 256 such interactions the full ECDSA private key can be reconstructed, granting the attacker the ability to forge signatures and move funds controlled by the wallet.

Public references include the original Lindell17 paper, Fireblocks technical reports, and proof-of-concept repositories that demonstrate the attack against non-compliant implementations; these materials focus on the protocol deviation rather than shipping patches or configuration changes for downstream wallets. The associated EPSS score has remained flat at 0.0590 with no material increase since disclosure.

EU & UK References

Vulnerability details

Crypto wallets implementing the Lindell17 TSS protocol might allow an attacker to extract the full ECDSA private key by exfiltrating a single bit in every signature attempt (256 in total) because of not adhering to the paper's security proof's assumption…

more

regarding handling aborts after a failed signature.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lindell17 project
lindell17
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References