CVE-2023-33242
Published: 09 August 2023
Summary
CVE-2023-33242 is a critical-severity Injection (CWE-74) vulnerability in Lindell17 Project Lindell17. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Crypto wallets implementing the Lindell17 threshold signature scheme for ECDSA key generation and signing are affected by CVE-2023-33242. The flaw stems from implementations that fail to follow the abort-handling assumption required by the original security proof in the Lindell17 paper, enabling an attacker to obtain one bit of the private key per signature attempt.
An attacker participating in the multi-party signing protocol can repeatedly trigger signature failures and exfiltrate a single bit of information each time. After 256 such interactions the full ECDSA private key can be reconstructed, granting the attacker the ability to forge signatures and move funds controlled by the wallet.
Public references include the original Lindell17 paper, Fireblocks technical reports, and proof-of-concept repositories that demonstrate the attack against non-compliant implementations; these materials focus on the protocol deviation rather than shipping patches or configuration changes for downstream wallets. The associated EPSS score has remained flat at 0.0590 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37411
Vulnerability details
Crypto wallets implementing the Lindell17 TSS protocol might allow an attacker to extract the full ECDSA private key by exfiltrating a single bit in every signature attempt (256 in total) because of not adhering to the paper's security proof's assumption…
more
regarding handling aborts after a failed signature.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.