Skip to main content

Gecko Software Development Kit CVE-2024-22473

HIGH
Insufficient Entropy (CWE-331)
2024-02-21 product-security@silabs.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
CVE Published
Feb 21, 2024 - 19:15 nvd
HIGH 7.5

DescriptionNVD

TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. This defect may allow Signature Spoofing by Key Recreation.This issue affects Gecko SDK through v4.4.0.

AnalysisAI

TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-331. TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. This defect may allow Signature Spoofing by Key Recreation.4.0. Affected products include: Silabs Gecko Software Development Kit.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2023-31247 CRITICAL POC
9.8 Nov 14

A memory corruption vulnerability exists in the HTTP Server Host header parsing functionality of Weston Embedded uC-HTTP

CVE-2023-28391 CRITICAL POC
9.8 Nov 14

A memory corruption vulnerability exists in the HTTP Server header parsing functionality of Weston Embedded uC-HTTP v3.0

CVE-2023-28379 CRITICAL POC
9.8 Nov 14

A memory corruption vulnerability exists in the HTTP Server form boundary functionality of Weston Embedded uC-HTTP v3.01

CVE-2023-27882 CRITICAL POC
9.8 Nov 14

A heap-based buffer overflow vulnerability exists in the HTTP Server form boundary functionality of Weston Embedded uC-H

CVE-2023-25181 CRITICAL POC
9.8 Nov 14

A heap-based buffer overflow vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP v3.01.01.

CVE-2023-24585 CRITICAL POC
9.8 Nov 14

An out-of-bounds write vulnerability exists in the HTTP Server functionality of Weston Embedded uC-HTTP v3.01.01. Rated

CVE-2023-2686 CRITICAL
9.8 Jun 15

Buffer overflow in Wi-Fi Commissioning MicriumOS example in Silicon Labs Gecko SDK v4.2.3 or earlier allows connected de

CVE-2023-4280 CRITICAL
9.3 Jan 02

An unvalidated input in Silicon Labs TrustZone implementation in v4.3.x and earlier of the Gecko SDK allows an attacker

CVE-2023-4020 CRITICAL
9.1 Dec 15

An unvalidated input in a library function responsible for communicating between secure and non-secure memory in Silicon

CVE-2023-41097 HIGH
7.5 Dec 21

An Observable Timing Discrepancy, Covert Timing Channel vulnerability in Silabs GSDK on ARM potentially allows Padding O

CVE-2023-32100 HIGH
7.5 May 18

Compiler removal of buffer clearing in sli_se_driver_mac_compute in Silicon Labs Gecko Platform SDK v4.2.1 and earlier r

CVE-2023-32099 HIGH
7.5 May 18

Compiler removal of buffer clearing in sli_se_sign_hash in Silicon Labs Gecko Platform SDK v4.2.1 and earlier results in

Share

CVE-2024-22473 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy