CVE-2024-37880 – This vulnerability allows attackers to recover ... (How to Fix)

Q: What is the severity of CVE-2024-37880?

CVE-2024-37880 has a CVSS score of 7.5 (HIGH). This vulnerability allows attackers to recover ML-KEM 512 secret keys through timing side-channel attacks when the Kyber reference implementation is compiled with specific LLVM Clang versions and optimization flags. Systems using vulnerable Kyber implementations for post-quantum cryptography are affected, particularly those compiled with Clang 18.x or earlier with common optimization options.

📋 TL;DR

This vulnerability allows attackers to recover ML-KEM 512 secret keys through timing side-channel attacks when the Kyber reference implementation is compiled with specific LLVM Clang versions and optimization flags. Systems using vulnerable Kyber implementations for post-quantum cryptography are affected, particularly those compiled with Clang 18.x or earlier with common optimization options.

💻 Affected Systems

Products:

Kyber reference implementation
Systems using ML-KEM 512 from vulnerable Kyber builds

Versions: Kyber reference implementation before commit 9b8d306

Operating Systems: All operating systems when compiled with vulnerable toolchain

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects builds compiled with LLVM Clang through 18.x with certain optimization flags that trigger the vulnerable secret-dependent branch.

📦 What is this software?

Kyber by Pq Crystals

View all CVEs affecting Kyber →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of encrypted communications protected by ML-KEM 512, allowing attackers to decrypt past and future messages secured with the compromised key.

🟠

Likely Case

Targeted attacks against high-value systems using vulnerable Kyber implementations, leading to data exfiltration and loss of confidentiality.

🟢

If Mitigated

Limited impact if systems use updated Kyber implementations or alternative compilation toolchains without vulnerable optimizations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires timing measurements and cryptographic analysis, but proof-of-concept code exists in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Kyber commit 9b8d306 or later

Vendor Advisory: https://github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c

Restart Required: No

Instructions:

1. Update to Kyber commit 9b8d306 or later. 2. Recompile all affected software with the patched Kyber implementation. 3. Regenerate and deploy new cryptographic keys.

🔧 Temporary Workarounds

Use alternative compiler

all

Compile Kyber with GCC or other compilers instead of LLVM Clang 18.x or earlier

CC=gcc make

Disable vulnerable optimizations

all

Compile with Clang flags that prevent the vulnerable optimization

CFLAGS="-O0" make
or CFLAGS="-fno-if-conversion" make

🧯 If You Can't Patch

Monitor for unusual timing patterns in cryptographic operations
Implement additional network segmentation for systems using vulnerable Kyber implementations

🔍 How to Verify

Check if Vulnerable:

Check Kyber commit hash: git log --oneline -1. If before 9b8d306 and compiled with Clang ≤18.x with optimizations, system is vulnerable.

Check Version:

clang --version && git log --oneline -1

Verify Fix Applied:

Verify Kyber commit is 9b8d306 or later: git show 9b8d306. Check compilation toolchain is not vulnerable Clang version with problematic optimizations.

📡 Detection & Monitoring

Log Indicators:

Unusual timing patterns in cryptographic operations
Multiple failed decryption attempts with timing correlation

Network Indicators:

Unusual network traffic patterns during key exchange operations
Repeated connection attempts to cryptographic services

SIEM Query:

source="crypto_services" AND (operation_time > threshold OR pattern="repeated_key_exchange")

📊 Metadata

CVE ID: CVE-2024-37880

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-203

Published: June 10, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/antoonpurnal/clangover Exploit
https://github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c Patch
https://news.ycombinator.com/item?id=40577486 Not Applicable
https://pqshield.com/pqshield-plugs-timing-leaks-in-kyber-ml-kem-to-improve-pqc-implementation-maturity/ Exploit,Third Party Advisory
https://twitter.com/purnaltoon/status/1797644696568959476 Exploit
https://github.com/antoonpurnal/clangover Exploit
https://github.com/pq-crystals/kyber/commit/9b8d30698a3e7449aeb34e62339d4176f11e3c6c Patch
https://news.ycombinator.com/item?id=40577486 Not Applicable
https://pqshield.com/pqshield-plugs-timing-leaks-in-kyber-ml-kem-to-improve-pqc-implementation-maturity/ Exploit,Third Party Advisory
https://twitter.com/purnaltoon/status/1797644696568959476 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37880, you might also want to check these: