CVE-2024-34703
📋 TL;DR
This vulnerability in the Botan cryptography library allows attackers to cause denial of service by presenting specially crafted X.509 certificates with excessively large elliptic curve parameters. When parsing these certificates, the library performs computationally expensive prime checks, consuming excessive CPU resources. Systems using Botan versions before 2.19.4 or 3.3.0 for certificate validation are affected.
💻 Affected Systems
- Botan cryptography library
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion, potentially affecting multiple services simultaneously if a vulnerable certificate validation endpoint is targeted.
Likely Case
Degraded performance or temporary service disruption on systems processing malicious certificates, requiring restart of affected services.
If Mitigated
Minimal impact with proper monitoring and rapid response to performance anomalies, though some service degradation may occur during attack.
🎯 Exploit Status
Proof of concept uses 16Kbit prime parameters to trigger excessive computation. Attack requires ability to present malicious certificate to vulnerable system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.19.4 or 3.3.0
Vendor Advisory: https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
Restart Required: Yes
Instructions:
1. Identify Botan version in use. 2. Update to Botan 2.19.4 (for 2.x branch) or 3.3.0 (for 3.x branch). 3. Recompile applications using Botan. 4. Restart affected services.
🔧 Temporary Workarounds
Disable explicit curve parameter support
allConfigure applications to reject certificates using explicit encoding of elliptic curve parameters
Application-specific configuration required - consult application documentation
🧯 If You Can't Patch
- Implement rate limiting on certificate validation endpoints to prevent mass exploitation
- Deploy monitoring for CPU spikes during certificate parsing and implement automated alerting
🔍 How to Verify
Check if Vulnerable:
Check Botan version: botan version or examine library files. Versions before 2.19.4 or 3.3.0 are vulnerable.Check Version:
botan version (if installed) or check library metadata in application binariesVerify Fix Applied:
Verify Botan version is 2.19.4 or higher (2.x branch) or 3.3.0 or higher (3.x branch). Test with known malicious certificate to ensure rejection.📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage during certificate validation
- Certificate parsing timeouts or failures
- Repeated certificate validation attempts
Network Indicators:
- Incoming connections presenting certificates with unusual sizes
- Traffic patterns targeting certificate validation endpoints
SIEM Query:
source="application_logs" AND ("certificate parsing" OR "X.509 validation") AND (cpu_usage>90 OR duration>10s)🔗 References
- https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4
- https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a
- https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
- https://github.com/randombit/botan/commit/08c404b23740babee1f6aa51b54e966029aadee4
- https://github.com/randombit/botan/commit/94e9154c143aa5264da6254a6a1be5bc66ee2b5a
- https://github.com/randombit/botan/security/advisories/GHSA-w4g2-7m2h-7xj7
