CVE-2023-46324

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Oct 23, 2023
Updated: Jan 9, 2024
CWE ID 347

Summary

CVE-2023-46324 is a vulnerability affecting the free5GC udm software before version 1.2.0. When Go version 1.19 or older is used, this issue allows an attacker to conduct an Invalid Curve Attack. The vulnerability arises because the software computes shared secrets using unvalidated public keys in the pkg/suci/suci.go file. The attacker can exploit this by sending malicious SUCIs to the UDM, which attempts to decrypt them using both its own private key and the attacker's unverified public key. This increases the risk of successful man-in-the-middle attacks and data breaches.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share