CVE-2024-11862: Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications

November 27, 2024

Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering half of the XTS key obsolete. Timing attacks require specific conditions to be exploitable.

References

github.com/Devolutions/XTS.NET
github.com/Devolutions/XTS.NET/commit/fb349d5bfb587218e8603b38ea37f03f036b57fd
github.com/Devolutions/XTS.NET/security/advisories/GHSA-j6vm-4r7g-x4gr
github.com/advisories/GHSA-j6vm-4r7g-x4gr
nvd.nist.gov/vuln/detail/CVE-2024-11862

Code Behaviors & Features

Detect and mitigate CVE-2024-11862 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →