CVE-2024-37880
Published: 10 June 2024
Summary
CVE-2024-37880 is a high-severity Observable Discrepancy (CWE-203) vulnerability in Pq-Crystals Kyber. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Credential Access (T1212); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-36864
Vulnerability details
The Kyber reference implementation before 9b8d306, when compiled by LLVM Clang through 18.x with some common optimization options, has a timing side channel that allows attackers to recover an ML-KEM 512 secret key in minutes. This occurs because poly_frommsg in…
more
poly.c does not prevent Clang from emitting a vulnerable secret-dependent branch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The timing side-channel vulnerability in the Kyber/ML-KEM reference implementation enables attackers to exploit the flaw for recovering cryptographic secret keys, mapping to exploitation for credential access.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Misdirection can normalize or falsify responses to eliminate observable discrepancies that aid reconnaissance.
Observable discrepancies in system behavior can be modulated to create covert storage or timing channels; the required analysis detects and constrains such avenues.
Prevents attackers from using observable differences in error responses to infer internal system details or state.