发现在整个会话中使用相同的 AES/GCM Nonce

CVE编号

N/A

利用情况

暂无

补丁情况

N/A

披露时间

2021-04-07

漏洞描述

Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node private key is not compromised, only the session key generated to communicate with an individual peer.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/advisories/GHSA-w3hj-wr2q-x83g

CVSS3评分 N/A

• 攻击路径 N/A
• 攻击复杂度 N/A
• 权限要求 N/A
• 影响范围 N/A
• 用户交互 N/A
• 可用性 N/A
• 保密性 N/A
• 完整性 N/A

N/A

CWE-ID	漏洞类型
CWE-323	在加密中重用Nonce与密钥对

Exp相关链接

- avd.aliyun.com