SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL ecdsa_sign_setup() Timing Flaw Lets Local Users Recover Private Keys
SecurityTracker Alert ID:  1037575
SecurityTracker URL:  http://securitytracker.com/id/1037575
CVE Reference:   CVE-2016-7056   (Links to External Site)
Date:  Jan 10 2017
Impact:   Disclosure of authentication information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.1u and prior
Description:   A vulnerability was reported in OpenSSL. A local user can recover ECDSA P-256 private keys.

The ecdsa_sign_setup() function in 'crypto/ec/ecdsa_ossl.c' does not properly set the BN_FLG_CONSTTIME for nonces when signing with the P-256 elliptic curve. As a result, a local user can conduct a cache-timing attack to exploit this side channel timing flaw in the signing function and recover ECDSA P-256 private keys.

The original advisory is available at:

http://eprint.iacr.org/2016/1195
http://eprint.iacr.org/2016/1195.pdf

Cesar Pereida Garcia and Billy Bob Brumley (Tampere University of Technology) reported this vulnerability.

Impact:   A local user can recover ECDSA P-256 private keys.
Solution:   No solution was available at the time of this entry.

A proposed patch is available in the original advisory at:

http://eprint.iacr.org/2016/1195
http://eprint.iacr.org/2016/1195.pdf

[Editor's note: The decoded proposed patch from the original advisory is provided below.]

Subject: [PATCH] ECDSA vulnerable to cache-timing attack. BN_mod_inverse fails
to take constant-time path, thus leaking nonce's information.

---
crypto/ecdsa/ecs_ossl.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index 4c5fa6b..72e7c05 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -147,6 +147,8 @@ static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp,
if (!BN_add(k, k, order))
goto err;

+ BN_set_flags(k, BN_FLG_CONSTTIME);
+
/* compute r the x-coordinate of generator * k */
if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) {
ECDSAerr(ECDSA_F_ECDSA_SIGN_SETUP, ERR_R_EC_LIB);
--
2.7.4

Vendor URL:  openssl.org/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jan 31 2017 (Ubuntu Issues Fix) OpenSSL ecdsa_sign_setup() Timing Flaw Lets Local Users Recover Private Keys
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, 16.04 LTS, and 16.10.



 Source Message Contents

Date:  Tue, 10 Jan 2017 15:50:28 +0000
Subject:  [oss-security] CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)

Attack Vector: Local

Vendor: OpenSSL, LibreSSL, BoringSSL

Versions Affected:
OpenSSL 1.0.1u and previous versions
LibreSSL (pre 6.0 errata 16, pre 5.9 errata 33)
BoringSSL pre November 2015

Description:
The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versio=
ns and forks
is vulnerable to timing attacks when signing with the standardized elliptic
curve P-256 despite featuring constant-time curve operations and modular in=
version.
A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, faili=
ng
to take a secure code path in the BN_mod_inverse method and therefore resul=
ting
in a cache-timing attack vulnerability.
A malicious user with local access can recover ECDSA P-256 private keys.

Mitigation:
Users of OpenSSL with the affected versions should apply
the patch available in the manuscript at [1].

Users of LibreSSL should apply the official patch from OpenBSD [2,3].

Users of BoringSSL should upgrade to a more recent version.

Credit:
This issue was reported by Cesar Pereida Garc=EDa and Billy Brumley
(Tampere University of Technology).

Timeline:
19 Dec 2016 Disclosure to OpenSSL, LibreSSL, BoringSSL security teams
29 Dec 2016 Embargo lifted

References:
[1] http://ia.cr/2016/1195
[2] https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.pa=
tch.sig
[3] https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.pa=
tch.sig

- Cesar=
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC