Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 8 Jun 2016 17:33:35 +0200
From: Gsunde Orangen <gsunde.orangen@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2016-2178: OpenSSL DSA follows a non-constant
 time codepath for certain operations

... which would be a different rating to the "moderate" that the RedHat
team ended up with: https://access.redhat.com/security/cve/CVE-2016-2178
I agree that both ratings are reasonable; so still awaiting for the OpenSSL
announcement at least in the vulnerability section (
https://www.openssl.org/news/vulnerabilities.html#y2016).
(Could be that I am just too impatient ;-)

2016-06-08 17:18 GMT+02:00 Alex Gaynor <alex.gaynor@...il.com>:

> I assume the OpenSSL team considers this vulnerability to be LOW severity:
> https://www.openssl.org/policies/secpolicy.html
>
> Alex
>
> On Wed, Jun 8, 2016 at 11:15 AM, Gsunde Orangen <gsunde.orangen@...il.com>
> wrote:
>
> > Whilst there is a commit in openssl and a CVE ID, I wonder why this
> hasn't
> > been announced yet by OpenSSL.org and why there are no official fix
> > releases (yet).
> > What made this issue different to the usual coordinated disclosures being
> > practiced with the OpenSSL team?
> >
> > 2016-06-08 10:54 GMT+02:00 Solar Designer <solar@...nwall.com>:
> >
> > > Hi,
> > >
> > > Just off Twitter:
> > >
> > > <mjos_crypto> Out today: This is the OpenSSL side-channel
> vulnerability I
> > > mentioned last week; now on ePrint. Also CVE-2016-2178.
> > > http://eprint.iacr.org/2016/594
> > > <@mjos_crypto> @mjos_crypto Currently unfixed in essentially all
> distros.
> > > <mjos_crypto> Note that CVE-2016-2178 /
> > > http://eprint.iacr.org/2016/594.pdf most severely actually impacts
> > > OpenSSH, which uses the OpenSSL library.
> > > <mjos_crypto> Cesar's CVE-2016-2178 patch for the OpenSSL library from
> > > Monday.
> > >
> >
> https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
> > >
> > > http://eprint.iacr.org/2016/594
> > >
> > > | "Make Sure DSA Signing Exponentiations Really are Constant-Time''
> > > |
> > > | Cesar Pereida Garca and Billy Bob Brumley and Yuval Yarom
> > > |
> > > | Abstract: TLS and SSH are two of the most commonly used protocols for
> > > securing Internet traffic. Many of the implementations of these
> protocols
> > > rely on the cryptographic primitives provided in the OpenSSL library.
> In
> > > this work we disclose a vulnerability in OpenSSL, affecting all
> versions
> > > and forks (e.g. LibreSSL and BoringSSL) since roughly October 2005,
> which
> > > renders the implementation of the DSA signature scheme vulnerable to
> > > cache-based side-channel attacks. Exploiting the software defect, we
> > > demonstrate the first published cache-based key-recovery attack on
> these
> > > protocols: 260 SSH-2 handshakes to extract a 1024/160-bit DSA host key
> > from
> > > an OpenSSH server, and 580 TLS 1.2 handshakes to extract a 2048/256-bit
> > DSA
> > > key from an stunnel server.
> > > |
> > > | Category / Keywords: applied cryptography; digital signatures;
> > > side-channel analysis; timing attacks; cache-timing attacks; DSA;
> > OpenSSL;
> > > CVE-2016-2178
> > > |
> > > | Date: received 6 Jun 2016, last revised 7 Jun 2016
> > >
> > >
> > >
> >
> https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
> > >
> > > | author        Cesar Pereida
> > > |       Mon, 23 May 2016 12:45:25 +0300 (12:45 +0300)
> > > | committer     Matt Caswell
> > > |       Mon, 6 Jun 2016 13:08:15 +0300 (11:08 +0100)
> > >
> > > | Fix DSA, preserve BN_FLG_CONSTTIME
> > > |
> > > | Operations in the DSA signing algorithm should run in constant time
> in
> > > | order to avoid side channel attacks. A flaw in the OpenSSL DSA
> > > | implementation means that a non-constant time codepath is followed
> for
> > > | certain operations. This has been demonstrated through a cache-timing
> > > | attack to be sufficient for an attacker to recover the private DSA
> key.
> > > |
> > > | CVE-2016-2178
> > >
> > > Alexander
> > >
> >
>
>
>
> --
> "I disapprove of what you say, but I will defend to the death your right to
> say it." -- Evelyn Beatrice Hall (summarizing Voltaire)
> "The people's good is the highest law." -- Cicero
> GPG Key fingerprint: D1B3 ADC0 E023 8CA6
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.