CVE-2023-36660 – CVE-2023-36660 is a memory corruption vulnerabi... (How to Fix)

Q: What is the severity of CVE-2023-36660?

CVE-2023-36660 has a CVSS score of 9.8 (CRITICAL). CVE-2023-36660 is a memory corruption vulnerability in the OCB (Offset Codebook) mode implementation in libnettle cryptographic library versions 3.9. It allows attackers to execute arbitrary code or cause denial of service. Systems using Nettle for cryptographic operations with OCB mode are affected.

📋 TL;DR

CVE-2023-36660 is a memory corruption vulnerability in the OCB (Offset Codebook) mode implementation in libnettle cryptographic library versions 3.9. It allows attackers to execute arbitrary code or cause denial of service. Systems using Nettle for cryptographic operations with OCB mode are affected.

💻 Affected Systems

Products:

Nettle cryptographic library
Applications linking against libnettle

Versions: Nettle 3.9 (specifically versions before 3.9.1)

Operating Systems: Linux distributions using vulnerable Nettle versions, Any OS with affected Nettle builds

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when OCB mode is used. Many distributions don't enable OCB by default.

📦 What is this software?

Nettle by Nettle Project

View all CVEs affecting Nettle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crashes and denial of service affecting cryptographic functionality.

🟢

If Mitigated

Limited impact if OCB mode is disabled or unused in configurations.

🌐 Internet-Facing: MEDIUM - Requires specific cryptographic usage patterns but could affect web servers using vulnerable Nettle.

🏢 Internal Only: LOW - Typically requires local access or specific application integration.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering the OCB functionality with malicious input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Nettle 3.9.1 or later

Vendor Advisory: https://git.lysator.liu.se/nettle/nettle/-/commit/867a4548b95705291a3afdd66d76e7f17ba2618f

Restart Required: Yes

Instructions:

1. Update Nettle to version 3.9.1 or later using your distribution's package manager. 2. For source installations: download from https://www.lysator.liu.se/~nisse/nettle/ and compile. 3. Restart affected services or applications using Nettle.

🔧 Temporary Workarounds

Disable OCB mode

all

Configure applications to avoid using OCB encryption mode

Application-specific configuration required

🧯 If You Can't Patch

Disable OCB mode in all applications using Nettle
Implement network segmentation to limit access to affected systems

🔍 How to Verify

Check if Vulnerable:

Check Nettle version: 'nettle-hash --version' or 'dpkg -l libnettle*' on Debian/Ubuntu, 'rpm -q nettle' on RHEL

Check Version:

nettle-hash --version 2>/dev/null | head -1

Verify Fix Applied:

Confirm version is 3.9.1 or later using version check commands

📡 Detection & Monitoring

Log Indicators:

Application crashes related to cryptographic operations
Memory corruption errors in system logs

Network Indicators:

Unusual cryptographic protocol usage patterns

SIEM Query:

Process monitoring for applications using libnettle with unexpected termination codes

📊 Metadata

CVE ID: CVE-2023-36660

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 25, 2023

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36660, you might also want to check these: