Bugzilla – Bug 733252
VUL-0: CVE-2011-4354: openssl: 0.9.8g 32bit leaks ECC private keys
Last modified: 2013-08-28 08:49:44 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. The issue is public. CVE-2011-4354 Citing Billy Brumley: > Vulnerability description > =========================== > The openssl-dev mailing list thread > > http://marc.info/?t=119271238800004 > > describes a bug affecting 32-bit builds of OpenSSL 0.9.8g. In extremely > rare instances, it causes incorrect computation of finite field operations > when using NIST elliptic curves P-256 or P-384. > > Exploiting said bug, we designed and implemented an attack that recovers a > TLS server's private key. As far as we are aware, this is the first public > exploitation of the bug. > > The bug is fixed in OpenSSL >= 0.9.8h and a series of patches is available > to resolve it for version 0.9.8g starting from check in version 1.15 at > > http://cvs.openssl.org/rlog?f=openssl%2Fcrypto%2Fbn%2Fbn_nist.c > > As a more generic countermeasure to these types of attacks, we implemented > coordinate blinding as a patch to the OpenSSL source, available on the > openssl-dev mailing list at > > http://marc.info/?l=openssl-dev&m=131194808413635 > > You can find our manuscript describing the attack at > > http://eprint.iacr.org/2011/633 > > and our proof-of-concept code to verify the attack at > > http://crypto.di.uminho.pt/CACE/
Adding Anja and Stephan Mueller, atsec, to Cc: for effect of bug on FIPS-140-2 validation.
Stephan, please note that sles10-sp4 contains openssl-0.9.8a. Which is why this bug exists. I'm adding you for completeness due to cross-reference of bnc#739719.
I think the issue is irrelevant for FIPS at this point. We do not allow ECC (neither EC-DSA nor EC-DH are included in the CAVS validation. Although I opt for fixing the issue, it is no showstopper for the FIPS work.
Created attachment 529927 [details] demo.c gcc -O2 -Wall -o demo demo.c -lcrypto ./demo all 3 points should report either "is on curve" or "is not on curve". FAIL: A is on curve B is on curve C is not on curve SUCCESS: A is on curve B is on curve C is on curve UNTESTED/SKIP for 64bit: A is not on curve B is not on curve C is not on curve
Update released for: openssl, openssl-32bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-doc Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: openssl, openssl-32bit, openssl-64bit, openssl-debuginfo, openssl-devel, openssl-devel-32bit, openssl-devel-64bit, openssl-doc, openssl-x86 Products: SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-DESKTOP 10-SP4 (i386, x86_64) SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64) SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
ltss updates are tested, otherwise we can close this now.
Update released for: openssl, openssl-devel, openssl-doc Products: SUSE-CORE 9-LTSS (i386, s390, s390x, x86_64)