CVE-2023-3724
CVSS 3.1 Score 9.1 of 10 (high)
Details
Summary
CVE-2023-3724 is a cyber vulnerability that affects multiple products, including aD9sPw, aD9sPx, aD9sPy, and many others. This vulnerability occurs when a TLS 1.3 client connects to a malicious server without receiving a PSK (pre shared key) extension or a KSE (key share extension). In this scenario, a default predictable buffer is used for the Input Keying Material (IKM) value when generating the session master secret key. This can compromise the generated key and allow an eavesdropper to reconstruct it, potentially gaining access to or tampering with the session's message contents. While client validation of connected servers and private key information are not affected, organizations not controlling both sides of the connection may be at risk of insecure TLS 1.3 sessions. To remediate this vulnerability, wolfSSL recommends that TLS 1.3 client-side users update their version of wolfSSL used. The risk score for this vulnerability is rated at 67 out of 100, with a base severity level of CRITICAL and a base score of 9.1 according to CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions