Bug 991464 (CVE-2016-6489) - VUL-0: CVE-2016-6489: libnettle: RSA code is vulnerable to cache-timing related attacks
Summary: VUL-0: CVE-2016-6489: libnettle: RSA code is vulnerable to cache-timing relat...
Status: RESOLVED FIXED
Alias: CVE-2016-6489
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/171499/
Whiteboard: CVSSv2:RedHat:CVE-2016-6489:5.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-08-01 12:00 UTC by Sebastian Krahmer
Modified: 2019-02-03 09:52 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Patch for SLE-12 (2.69 KB, patch)
2017-05-31 15:42 UTC, Pedro Monreal Gonzalez 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2016-08-01 12:00:37 UTC 
Quoting from RH BZ:

A cache-related side channel was found, in nettle-RSA code. An attacker could use a specially crafted RSA or DSA data, which could make the SSL/TLS connection suspectible to Man-in-the-Middle attacks:

rh#1362016


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1362016
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6489
http://seclists.org/oss-sec/2016/q3/202
https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3
Comment 2 Tomáš Chvátal 2016-08-01 13:06:24 UTC 
I checked the problem. Based on discussion on mailinglist it has quite some issues/regressions.

I would recommend actually waiting for upstream to have fix that really works.
Comment 4 Andreas Stieger 2016-10-28 13:17:41 UTC 
This is now released upstream in 3.3:

> 	This release fixes a couple of bugs, and improves resistance
> 	to side-channel attacks on RSA and DSA private key operations.
> [...]
> 
> 	* RSA and DSA now use side-channel silent modular
> 	  exponentiation, to defend against attacks on the private key
> 	  from evil processes sharing the same processor cache. This
> 	  attack scenario is of particular relevance when running an
> 	  HTTPS server on a virtual machine, where you don't know who
> 	  you share the cache hardware with.
> 
> 	  (Private key operations on elliptic curves were already
> 	  side-channel silent).
Comment 6 Pedro Monreal Gonzalez 2017-05-31 14:49:04 UTC 
Created attachment 727154 [details]
Patch for SLE-12

Hi, I am the new maintainer of this package. After some research, I have seen that the majority of the changes are in commit [1] that switches from function mpz_powm to mpz_powm_sec. Function mpz_powm_sec handles only odd moduli.

As mentioned in [2] and the following messages, there are some other parity checks that must me implemented for this new function to work properly, these are given in commits [3-5]. Note that, commit [3] does not apply in 2.7.1.

I have just submitted to SLE-12:Update. Could you please check that the applied patch does not break anything?

Codestream              Version
-------------------------------------------------------------
Factory                 3.3     Not affected
Leap:42.2:Update        2.7.1   Comes from SUSE:SLE-12:Update
Leap:42.1:Update        2.7.1   Comes from SUSE:SLE-12:GA
SLE-12:Update           2.7.1   mr#133471

[1] https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3
[2] https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html
[3] https://git.lysator.liu.se/nettle/nettle/commit/52b9223126b3f997c00d399166c006ae28669068
[4] https://git.lysator.liu.se/nettle/nettle/commit/5eb30d94f6f5f3f0cb9ba9ed24bc52b7376176b6
[5] https://git.lysator.liu.se/nettle/nettle/commit/c66b5f203861729b7a5f006c6f4368acad878f36
Comment 7 Pedro Monreal Gonzalez 2017-05-31 15:42:27 UTC 
Created attachment 727172 [details]
Patch for SLE-12

Updated patch and new maintenance request mr#133484.
Comment 8 Swamp Workflow Management 2017-06-02 16:13:06 UTC 
SUSE-SU-2017:1481-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 991464
CVE References: CVE-2016-6489
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libnettle-2.7.1-12.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libnettle-2.7.1-12.1
SUSE Linux Enterprise Server 12-SP2 (src):    libnettle-2.7.1-12.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libnettle-2.7.1-12.1
Comment 9 Swamp Workflow Management 2017-06-12 10:09:27 UTC 
openSUSE-SU-2017:1533-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 991464
CVE References: CVE-2016-6489
Sources used:
openSUSE Leap 42.2 (src):    libnettle-2.7.1-10.3.1
Comment 11 Marcus Meissner 2017-10-25 20:00:22 UTC 
released
Comment 12 Swamp Workflow Management 2019-02-03 09:52:36 UTC 
This is an autogenerated message for OBS integration:
This bug (991464) was mentioned in
https://build.opensuse.org/request/show/670843 15.1 / libnettle