Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 1 Dec 2011 12:42:51 +0200 (EET)
From: Billy Brumley <>
Subject: CVE-2011-4354 OpenSSL 0.9.8g (32-bit builds) bug leaks ECC private

This issue is tracked by CVE-2011-4354. It is publicly disclosed.

Billy Brumley <billy.brumley [at] aalto [dot] fi>
Manuel Barbosa <mbb [at] di.uminho [dot] pt>
Dan Page <page [at] [dot] uk>
Fre Vercauteren <fvercaut [at] [dot] be>

Vulnerability description
The openssl-dev mailing list thread

describes a bug affecting 32-bit builds of OpenSSL 0.9.8g. In extremely 
rare instances, it causes incorrect computation of finite field operations 
when using NIST elliptic curves P-256 or P-384.

Exploiting said bug, we designed and implemented an attack that recovers a 
TLS server's private key. As far as we are aware, this is the first public 
exploitation of the bug.

The bug is fixed in OpenSSL >= 0.9.8h and a series of patches is available 
to resolve it for version 0.9.8g starting from check in version 1.15 at

As a more generic countermeasure to these types of attacks, we implemented 
coordinate blinding as a patch to the OpenSSL source, available on the 
openssl-dev mailing list at

You can find our manuscript describing the attack at

and our proof-of-concept code to verify the attack at

Vulnerability prerequisites

- OpenSSL 0.9.8g (32-bit build)

One or more of:
- Use of curve P-256
- Use of curve P-384

One or more of:
- Use of ECDH family ciphers
- Use of ECDHE family ciphers *and* lack of SSL_OP_SINGLE_ECDH_USE context 

Ubuntu 9.10 Karmic ships with OpenSSL 0.9.8g and we verified the attack 
against it.
Debian 5.0 Lenny ships with OpenSSL 0.9.8g and, although we did not verify 
the attack, the code suggests it is vulnerable.
We verified the attack against stunnel 4.43 (linked against OpenSSL 
0.9.8g) configured to use an ECDH cipher and P-256.
Our methods do not seem to be effective for attacking OpenSSH: their 
implementation strictly uses ephemeral ECDH keys.

Vulnerability impact
The attack allows recovery of a TLS server's private key.
For ECDH family ciphers, this is the long term private key of the public 
key in a certificate.
For ECDHE family ciphers, this is the private key of the per application 
instance's ECDH ephemeral-static public key.
The attack is remote and in that sense only requires observing the result 
(success or failure) of repeated attacker-initiated TLS handshakes.

Disclosure timeline
16 Sep 2011 Notified CERT
15 Oct 2011 Notified Secunia
27 Oct 2011 Notified OpenSSL team
26 Nov 2011 Manuscript posted at IACR eprint
28 Nov 2011 Updated OpenSSL team
28 Nov 2011 Notified linux-distros list
01 Dec 2011 Notified oss-security list

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.