CVE-2024-22473
Uninitialized TRNG used for ECDSA after EM2/EM3 sleep for VSE devices
In short
A random number generator used for digital signatures isn't properly initialized when a device wakes up from sleep mode, potentially allowing attackers to forge digital signatures by recreating the keys used to sign them.
Technical detail
The TRNG (True Random Number Generator) is accessed by the ECDSA signing driver before initialization upon exit from EM2/EM3 sleep states on VSE devices, creating a predictable cryptographic state. This enables signature spoofing via key recreation due to insufficient entropy during the critical initialization window. Affected Gecko SDK versions through v4.4.0.
Summary generated and translated by AI from the official description.
TRNG is used before initialization by ECDSA signing driver when exiting EM2/EM3 on Virtual Secure Vault (VSE) devices. This defect may allow Signature Spoofing by Key Recreation.This issue affects Gecko SDK through v4.4.0.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N
Affected products
silabs.com · GSDKWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →