oss-sec mailing list archives
Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations
From: Marcus Meissner <meissner () suse de>
Date: Wed, 8 Jun 2016 17:38:57 +0200
Hi, the openssl team usually announces those LOW issues together with the other issues during their semi regular advisories. (And usually as soon as these LOW CVE issues are getting added to git, a new advisory is not far away.) Ciao, Marcus On Wed, Jun 08, 2016 at 05:33:35PM +0200, Gsunde Orangen wrote:
... which would be a different rating to the "moderate" that the RedHat team ended up with: https://access.redhat.com/security/cve/CVE-2016-2178 I agree that both ratings are reasonable; so still awaiting for the OpenSSL announcement at least in the vulnerability section ( https://www.openssl.org/news/vulnerabilities.html#y2016). (Could be that I am just too impatient ;-) 2016-06-08 17:18 GMT+02:00 Alex Gaynor <alex.gaynor () gmail com>:I assume the OpenSSL team considers this vulnerability to be LOW severity: https://www.openssl.org/policies/secpolicy.html Alex On Wed, Jun 8, 2016 at 11:15 AM, Gsunde Orangen <gsunde.orangen () gmail com> wrote:Whilst there is a commit in openssl and a CVE ID, I wonder why thishasn'tbeen announced yet by OpenSSL.org and why there are no official fix releases (yet). What made this issue different to the usual coordinated disclosures being practiced with the OpenSSL team? 2016-06-08 10:54 GMT+02:00 Solar Designer <solar () openwall com>:Hi, Just off Twitter: <mjos_crypto> Out today: This is the OpenSSL side-channelvulnerability Imentioned last week; now on ePrint. Also CVE-2016-2178. http://eprint.iacr.org/2016/594 <@mjos_crypto> @mjos_crypto Currently unfixed in essentially alldistros.<mjos_crypto> Note that CVE-2016-2178 / http://eprint.iacr.org/2016/594.pdf most severely actually impacts OpenSSH, which uses the OpenSSL library. <mjos_crypto> Cesar's CVE-2016-2178 patch for the OpenSSL library from Monday.https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2http://eprint.iacr.org/2016/594 | "Make Sure DSA Signing Exponentiations Really are Constant-Time'' | | Cesar Pereida Garca and Billy Bob Brumley and Yuval Yarom | | Abstract: TLS and SSH are two of the most commonly used protocols for securing Internet traffic. Many of the implementations of theseprotocolsrely on the cryptographic primitives provided in the OpenSSL library.Inthis work we disclose a vulnerability in OpenSSL, affecting allversionsand forks (e.g. LibreSSL and BoringSSL) since roughly October 2005,whichrenders the implementation of the DSA signature scheme vulnerable to cache-based side-channel attacks. Exploiting the software defect, we demonstrate the first published cache-based key-recovery attack ontheseprotocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host keyfroman OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bitDSAkey from an stunnel server. | | Category / Keywords: applied cryptography; digital signatures; side-channel analysis; timing attacks; cache-timing attacks; DSA;OpenSSL;CVE-2016-2178 | | Date: received 6 Jun 2016, last revised 7 Jun 2016https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2| author Cesar Pereida | Mon, 23 May 2016 12:45:25 +0300 (12:45 +0300) | committer Matt Caswell | Mon, 6 Jun 2016 13:08:15 +0300 (11:08 +0100) | Fix DSA, preserve BN_FLG_CONSTTIME | | Operations in the DSA signing algorithm should run in constant timein| order to avoid side channel attacks. A flaw in the OpenSSL DSA | implementation means that a non-constant time codepath is followedfor| certain operations. This has been demonstrated through a cache-timing | attack to be sufficient for an attacker to recover the private DSAkey.| | CVE-2016-2178 Alexander-- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6
-- Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner () suse de>
Current thread:
- CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Solar Designer (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Gsunde Orangen (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Alex Gaynor (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Gsunde Orangen (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Marcus Meissner (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Roman Drahtmueller (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Roman Drahtmueller (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Billy Brumley (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Roman Drahtmueller (Jun 09)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Billy Brumley (Jun 09)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Alex Gaynor (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Gsunde Orangen (Jun 08)
- Re: CVE-2016-2178: OpenSSL DSA follows a non-constant time codepath for certain operations Billy Brumley (Jun 08)