Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Jun 2016 11:18:41 -0400
From: Alex Gaynor <alex.gaynor@...il.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: CVE-2016-2178: OpenSSL DSA follows a non-constant
 time codepath for certain operations

I assume the OpenSSL team considers this vulnerability to be LOW severity:
https://www.openssl.org/policies/secpolicy.html

Alex

On Wed, Jun 8, 2016 at 11:15 AM, Gsunde Orangen <gsunde.orangen@...il.com>
wrote:

> Whilst there is a commit in openssl and a CVE ID, I wonder why this hasn't
> been announced yet by OpenSSL.org and why there are no official fix
> releases (yet).
> What made this issue different to the usual coordinated disclosures being
> practiced with the OpenSSL team?
>
> 2016-06-08 10:54 GMT+02:00 Solar Designer <solar@...nwall.com>:
>
> > Hi,
> >
> > Just off Twitter:
> >
> > <mjos_crypto> Out today: This is the OpenSSL side-channel vulnerability I
> > mentioned last week; now on ePrint. Also CVE-2016-2178.
> > http://eprint.iacr.org/2016/594
> > <@...s_crypto> @mjos_crypto Currently unfixed in essentially all distros.
> > <mjos_crypto> Note that CVE-2016-2178 /
> > http://eprint.iacr.org/2016/594.pdf most severely actually impacts
> > OpenSSH, which uses the OpenSSL library.
> > <mjos_crypto> Cesar's CVE-2016-2178 patch for the OpenSSL library from
> > Monday.
> >
> https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
> >
> > http://eprint.iacr.org/2016/594
> >
> > | "Make Sure DSA Signing Exponentiations Really are Constant-Time''
> > |
> > | Cesar Pereida Garca and Billy Bob Brumley and Yuval Yarom
> > |
> > | Abstract: TLS and SSH are two of the most commonly used protocols for
> > securing Internet traffic. Many of the implementations of these protocols
> > rely on the cryptographic primitives provided in the OpenSSL library. In
> > this work we disclose a vulnerability in OpenSSL, affecting all versions
> > and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005, which
> > renders the implementation of the DSA signature scheme vulnerable to
> > cache-based side-channel attacks. Exploiting the software defect, we
> > demonstrate the first published cache-based key-recovery attack on these
> > protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key
> from
> > an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit
> DSA
> > key from an stunnel server.
> > |
> > | Category / Keywords: applied cryptography; digital signatures;
> > side-channel analysis; timing attacks; cache-timing attacks; DSA;
> OpenSSL;
> > CVE-2016-2178
> > |
> > | Date: received 6 Jun 2016, last revised 7 Jun 2016
> >
> >
> >
> https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
> >
> > | author        Cesar Pereida
> > |       Mon, 23 May 2016 12:45:25 +0300 (12:45 +0300)
> > | committer     Matt Caswell
> > |       Mon, 6 Jun 2016 13:08:15 +0300 (11:08 +0100)
> >
> > | Fix DSA, preserve BN_FLG_CONSTTIME
> > |
> > | Operations in the DSA signing algorithm should run in constant time in
> > | order to avoid side channel attacks. A flaw in the OpenSSL DSA
> > | implementation means that a non-constant time codepath is followed for
> > | certain operations. This has been demonstrated through a cache-timing
> > | attack to be sufficient for an attacker to recover the private DSA key.
> > |
> > | CVE-2016-2178
> >
> > Alexander
> >
>



-- 
"I disapprove of what you say, but I will defend to the death your right to
say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
"The people's good is the highest law." -- Cicero
GPG Key fingerprint: D1B3 ADC0 E023 8CA6

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ