CVE-2024-28285: 
Linux Debian vulnerability analysis and mitigation

A Fault Injection vulnerability was discovered in Cryptopp Crypto++ 8.9, specifically affecting the SymmetricDecrypt function in cryptopp/elgamal.h. The vulnerability was assigned CVE-2024-28285 and was disclosed on May 14, 2024. The vulnerability was discovered by researchers from Peking University and The University of Western Australia: Junkai Liang, Zhi Zhang, Xin Zhang, and Qingni Shen (GitHub POC).

The vulnerability is classified as a Fault Injection vulnerability with a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from insufficient protection mechanisms in the SymmetricDecrypt function within the ElGamal implementation. The vulnerability is associated with CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-285 (Improper Authorization) (NVD).

The vulnerability allows an attacker who can co-reside in the same system with a victim process to disclose sensitive information and potentially escalate privileges. This poses a significant security risk for systems using the affected Crypto++ versions (Debian Tracker).

As of the current date, there is no official fix available for this vulnerability. The issue has been reported to the Crypto++ project through their GitHub repository and is being tracked for resolution (GitHub Issue).

The vulnerability has been discussed in the Crypto++ user community, with ongoing discussions about potential fixes and impact assessment (Cryptopp Users).