oss-sec mailing list archives
Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks
From: Hanno Böck <hanno () hboeck de>
Date: Sat, 30 Jul 2016 10:16:58 -0400
On Fri, 29 Jul 2016 14:19:38 +0530 Huzaifa Sidhpurwala <huzaifas () redhat com> wrote:
The following whitepaper talks about libgcrypt's RSA code being vulnerable to a cache timing attack, which the paper claims is fixed in 1.6.3. It seems nettle is also vulnerable to this flaw. Which was confirmed by upstream via: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html The above link also contains a proposed patch, will be committed soon.
FYI, this patch had some unintended side effects: https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003104.html They replaced GMP's mpz_powm with mpz_powm_sec, however the latter is not equivalent. It requires odd moduli and will crash with a floating point exception if the modulus is even. This is actually a bug class that may turn out to be interesting, I recently experienced something very similar (but more severe) in matrixssl (writeup on that will follow as soon as I find time for it). Bignum libraries have certain conditions on how their input is formed and don't behave well if the input isn't what they expect. These conditions usually make sense in the average use case, but not neccessarily if an attacker can control some of the input. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Huzaifa Sidhpurwala (Jul 29)
- Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks cve-assign (Jul 29)
- Re: Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Huzaifa Sidhpurwala (Jul 31)
- Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks Hanno Böck (Jul 30)
- Re: CVE Request: nettle's RSA code is vulnerable to cache sharing related attacks cve-assign (Jul 29)