CVE-2024-8361
📋 TL;DR
A vulnerability in SiWx91x devices causes the SHA2/224 algorithm to return an incorrect 256-bit hash instead of the expected 224-bit hash, triggering a software assertion that leads to Denial of Service. Affected devices will either restart (if watchdog is implemented) or require hard reset (if no watchdog). This impacts all systems using vulnerable SiWx91x hardware.
💻 Affected Systems
- SiWx91x series devices
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Persistent DoS attacks could render devices continuously unavailable, requiring manual intervention for systems without watchdogs.
Likely Case
Intermittent device restarts or temporary unavailability when SHA2/224 operations are triggered.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and respond to DoS events.
🎯 Exploit Status
Exploitation requires triggering SHA2/224 operations on affected devices. No authentication bypass needed but requires specific cryptographic operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific firmware version
Vendor Advisory: https://community.silabs.com/068Vm00000I7zqo
Restart Required: No
Instructions:
1. Check vendor advisory for patched firmware version. 2. Download updated firmware from Silicon Labs. 3. Apply firmware update to affected SiWx91x devices. 4. Verify SHA2/224 functionality post-update.
🔧 Temporary Workarounds
Disable SHA2/224 usage
allAvoid using SHA2/224 algorithm in applications running on SiWx91x devices
Application-specific configuration changes required
Implement watchdog monitoring
allEnsure watchdog timers are properly configured to detect and recover from assertion failures
Hardware/firmware configuration required
🧯 If You Can't Patch
- Segment affected devices on isolated networks to limit blast radius
- Implement monitoring for device restarts and assertion failures
🔍 How to Verify
Check if Vulnerable:
Test SHA2/224 hash generation on SiWx91x device and verify output length is 224 bits (28 bytes) not 256 bits (32 bytes)Check Version:
Check device firmware version via vendor-specific commands (consult device documentation)Verify Fix Applied:
After patching, verify SHA2/224 returns correct 224-bit hash length and no assertion failures occur📡 Detection & Monitoring
Log Indicators:
- Software assertion failures
- Watchdog timeouts
- Unexpected device restarts
- SHA2/224 operation errors
Network Indicators:
- Unresponsive devices
- Increased restart events in device logs
SIEM Query:
Search for 'assertion failure', 'watchdog timeout', or 'SHA2/224 error' in device logs