Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Jun 2016 17:33:35 +0200
From: Gsunde Orangen <gsunde.orangen@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-2178: OpenSSL DSA follows a non-constant
 time codepath for certain operations

... which would be a different rating to the "moderate" that the RedHat
team ended up with: https://access.redhat.com/security/cve/CVE-2016-2178
I agree that both ratings are reasonable; so still awaiting for the OpenSSL
announcement at least in the vulnerability section (
https://www.openssl.org/news/vulnerabilities.html#y2016).
(Could be that I am just too impatient ;-)

2016-06-08 17:18 GMT+02:00 Alex Gaynor <alex.gaynor@...il.com>:

> I assume the OpenSSL team considers this vulnerability to be LOW severity:
> https://www.openssl.org/policies/secpolicy.html
>
> Alex
>
> On Wed, Jun 8, 2016 at 11:15 AM, Gsunde Orangen <gsunde.orangen@...il.com>
> wrote:
>
> > Whilst there is a commit in openssl and a CVE ID, I wonder why this
> hasn't
> > been announced yet by OpenSSL.org and why there are no official fix
> > releases (yet).
> > What made this issue different to the usual coordinated disclosures being
> > practiced with the OpenSSL team?
> >
> > 2016-06-08 10:54 GMT+02:00 Solar Designer <solar@...nwall.com>:
> >
> > > Hi,
> > >
> > > Just off Twitter:
> > >
> > > <mjos_crypto> Out today: This is the OpenSSL side-channel
> vulnerability I
> > > mentioned last week; now on ePrint. Also CVE-2016-2178.
> > > http://eprint.iacr.org/2016/594
> > > <@...s_crypto> @mjos_crypto Currently unfixed in essentially all
> distros.
> > > <mjos_crypto> Note that CVE-2016-2178 /
> > > http://eprint.iacr.org/2016/594.pdf most severely actually impacts
> > > OpenSSH, which uses the OpenSSL library.
> > > <mjos_crypto> Cesar's CVE-2016-2178 patch for the OpenSSL library from
> > > Monday.
> > >
> >
> https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
> > >
> > > http://eprint.iacr.org/2016/594
> > >
> > > | "Make Sure DSA Signing Exponentiations Really are Constant-Time''
> > > |
> > > | Cesar Pereida Garca and Billy Bob Brumley and Yuval Yarom
> > > |
> > > | Abstract: TLS and SSH are two of the most commonly used protocols for
> > > securing Internet traffic. Many of the implementations of these
> protocols
> > > rely on the cryptographic primitives provided in the OpenSSL library.
> In
> > > this work we disclose a vulnerability in OpenSSL, affecting all
> versions
> > > and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005,
> which
> > > renders the implementation of the DSA signature scheme vulnerable to
> > > cache-based side-channel attacks. Exploiting the software defect, we
> > > demonstrate the first published cache-based key-recovery attack on
> these
> > > protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key
> > from
> > > an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit
> > DSA
> > > key from an stunnel server.
> > > |
> > > | Category / Keywords: applied cryptography; digital signatures;
> > > side-channel analysis; timing attacks; cache-timing attacks; DSA;
> > OpenSSL;
> > > CVE-2016-2178
> > > |
> > > | Date: received 6 Jun 2016, last revised 7 Jun 2016
> > >
> > >
> > >
> >
> https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
> > >
> > > | author        Cesar Pereida
> > > |       Mon, 23 May 2016 12:45:25 +0300 (12:45 +0300)
> > > | committer     Matt Caswell
> > > |       Mon, 6 Jun 2016 13:08:15 +0300 (11:08 +0100)
> > >
> > > | Fix DSA, preserve BN_FLG_CONSTTIME
> > > |
> > > | Operations in the DSA signing algorithm should run in constant time
> in
> > > | order to avoid side channel attacks. A flaw in the OpenSSL DSA
> > > | implementation means that a non-constant time codepath is followed
> for
> > > | certain operations. This has been demonstrated through a cache-timing
> > > | attack to be sufficient for an attacker to recover the private DSA
> key.
> > > |
> > > | CVE-2016-2178
> > >
> > > Alexander
> > >
> >
>
>
>
> --
> "I disapprove of what you say, but I will defend to the death your right to
> say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: D1B3 ADC0 E023 8CA6
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ