CVE-2023-3724

Summary

CVE-2023-3724 is a cyber vulnerability that affects multiple products, including aD9sPw, aD9sPx, aD9sPy, and many others. This vulnerability occurs when a TLS 1.3 client connects to a malicious server without receiving a PSK (pre shared key) extension or a KSE (key share extension). In this scenario, a default predictable buffer is used for the Input Keying Material (IKM) value when generating the session master secret key. This can compromise the generated key and allow an eavesdropper to reconstruct it, potentially gaining access to or tampering with the session's message contents. While client validation of connected servers and private key information are not affected, organizations not controlling both sides of the connection may be at risk of insecure TLS 1.3 sessions. To remediate this vulnerability, wolfSSL recommends that TLS 1.3 client-side users update their version of wolfSSL used. The risk score for this vulnerability is rated at 67 out of 100, with a base severity level of CRITICAL and a base score of 9.1 according to CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.