CVE-2024-9355

A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.0 / Impact : 5.5

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:10133
https://access.redhat.com/errata/RHSA-2024:7502
https://access.redhat.com/errata/RHSA-2024:7550
https://access.redhat.com/errata/RHSA-2024:8327
https://access.redhat.com/errata/RHSA-2024:8678
https://access.redhat.com/errata/RHSA-2024:8847
https://access.redhat.com/errata/RHSA-2024:9551
https://access.redhat.com/errata/RHSA-2025:2416
https://access.redhat.com/errata/RHSA-2025:7118
https://access.redhat.com/errata/RHSA-2025:7256
https://access.redhat.com/errata/RHSA-2025:7624
https://access.redhat.com/security/cve/CVE-2024-9355
https://bugzilla.redhat.com/show_bug.cgi?id=2315719
https://github.com/golang-fips/openssl/pull/198

Configurations

No configuration.

History

No history.

Information

Published : 2024-10-01 19:15

Updated : 2025-10-02 17:16

NVD link : CVE-2024-9355

Mitre link : CVE-2024-9355

CVE.ORG link : CVE-2024-9355

JSON object : View

Products Affected

No product.

CWE

CWE-457

Use of Uninitialized Variable

{"id": "CVE-2024-9355", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.5, "exploitabilityScore": 1.0}]}, "published": "2024-10-01T19:15:09.793", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:10133", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2024:7502", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2024:7550", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2024:8327", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2024:8678", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2024:8847", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2024:9551", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:2416", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:7118", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:7256", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:7624", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2024-9355", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2315719", "source": "[email protected]"}, {"url": "https://github.com/golang-fips/openssl/pull/198", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-457"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum.\u00a0 It is also possible to force a derived key to be all zeros instead of an unpredictable value.\u00a0 This may have follow-on implications for the Go TLS stack."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Golang FIPS OpenSSL. Esta falla permite que un usuario malintencionado haga que se devuelva aleatoriamente una variable de longitud de b\u00fafer no inicializada con un b\u00fafer puesto a cero en modo FIPS. Tambi\u00e9n es posible forzar una coincidencia de falso positivo entre hashes no iguales al comparar una suma hmac calculada confiable con una suma de entrada no confiable si un atacante puede enviar un b\u00fafer puesto a cero en lugar de una suma calculada previamente. Tambi\u00e9n es posible forzar que una clave derivada sea todo ceros en lugar de un valor impredecible. Esto puede tener implicaciones posteriores para la pila TLS de Go."}], "lastModified": "2025-10-02T17:16:04.647", "sourceIdentifier": "[email protected]"}