CVE-2024-37305
📋 TL;DR
CVE-2024-37305 is a buffer overflow vulnerability in oqs-provider that handles post-quantum cryptography for OpenSSL 3. Attackers can craft malicious hybrid keys/signatures to cause crashes or leak sensitive memory information. This affects systems using oqs-provider for post-quantum cryptography in TLS, X.509, or S/MIME.
💻 Affected Systems
- oqs-provider
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, though information leakage is more likely given the vulnerability type.
Likely Case
Denial of service through application crashes or information disclosure via memory leaks.
If Mitigated
Limited impact if systems are behind firewalls with strict input validation and monitoring.
🎯 Exploit Status
Exploitation requires crafting malformed hybrid keys or signatures, which could be delivered via TLS handshakes, certificates, or S/MIME messages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.6.1
Vendor Advisory: https://github.com/open-quantum-safe/oqs-provider/security/advisories/GHSA-pqvr-5cr8-v6fx
Restart Required: Yes
Instructions:
1. Stop services using oqs-provider. 2. Update oqs-provider to v0.6.1 via package manager or source compilation. 3. Restart affected services. 4. Verify the update was successful.
🔧 Temporary Workarounds
No workarounds available
allThe advisory states there are no workarounds for this vulnerability.
🧯 If You Can't Patch
- Disable hybrid key operations in oqs-provider configuration if possible
- Implement network segmentation and strict firewall rules to limit access to affected systems
🔍 How to Verify
Check if Vulnerable:
Check oqs-provider version: openssl list -provider oqsprovider 2>/dev/null | grep -i versionCheck Version:
openssl list -provider oqsprovider 2>/dev/null | grep -i versionVerify Fix Applied:
Verify version is v0.6.1 or later: openssl list -provider oqsprovider 2>/dev/null | grep -i version📡 Detection & Monitoring
Log Indicators:
- Application crashes related to oqs-provider
- Memory access violation errors in system logs
- Unexpected termination of TLS services
Network Indicators:
- Unusual TLS handshake failures
- Malformed certificate or signature traffic patterns
SIEM Query:
source="*" ("oqs-provider" OR "liboqs") AND ("crash" OR "segmentation fault" OR "memory violation")