oss-sec mailing list archives

Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks

From: Hanno Böck <hanno () hboeck de>
Date: Sat, 30 Jul 2016 10:16:58 -0400

On Fri, 29 Jul 2016 14:19:38 +0530
Huzaifa Sidhpurwala <huzaifas () redhat com> wrote:

The following whitepaper talks about libgcrypt's RSA code being
vulnerable to a cache timing attack, which the paper claims is fixed
in 1.6.3.

It seems nettle is also vulnerable to this flaw. Which was confirmed
by upstream via:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html

The above link also contains a proposed patch, will be committed soon.


FYI, this patch had some unintended side effects:
https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003104.html

They replaced GMP's mpz_powm with mpz_powm_sec, however the latter is
not equivalent. It requires odd moduli and will crash with a floating
point exception if the modulus is even.

This is actually a bug class that may turn out to be interesting, I
recently experienced something very similar (but more severe) in
matrixssl (writeup on that will follow as soon as I find time for it).
Bignum libraries have certain conditions on how their input is formed
and don't behave well if the input isn't what they expect. These
conditions usually make sense in the average use case, but not
neccessarily if an attacker can control some of the input.


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature

Current thread:

CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Huzaifa Sidhpurwala (Jul 29)
- Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks cve-assign (Jul 29)
  - Re: Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Huzaifa Sidhpurwala (Jul 31)
- Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Hanno Böck (Jul 30)