CVE-2023-26557

Published: Apr 21, 2023

Modified: Feb 5, 2025

PUBLISHED

Description

io.finnet tss-lib before 2.0.0 can leak the lambda value of a private key via a timing side-channel attack because it relies on Go big.Int, which is not constant time for Cmp, modular exponentiation, or modular inverse. An example leak is in crypto/paillier/paillier.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/IoFinnet/tss-lib/releases/tag/v2.0.0

https://github.com/bnb-chain/tss-lib/tree/v1.3.5

https://gitlab.com/thorchain/tss/tss-lib/-/tags/v0.1.3

https://medium.com/%40iofinnet/security-disclosure-for-ecdsa-and-eddsa-threshold-signature-schemes-4e969af7155b

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-26557

Description

Affected Products

References