(FreeBSD Issues Fix) OpenSSL Montgomery Ladder Timing Lets Local Users Conduct Side-Channel Attacks to Obtain ECDSA Nonces
SecurityTracker Alert ID: 1030039|
SecurityTracker URL: http://securitytracker.com/id/1030039
(Links to External Site)
Date: Apr 9 2014
Disclosure of authentication information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 1.0.0l and prior|
A vulnerability was reported in OpenSSL. A local user can obtain Elliptic Curve Digital Signature Algorithm (ECDSA) nonces.|
A local user can exploit a timing flaw in the Montgomery ladder implementation during swap operations to perform a FLUSH+RELOAD cache side-channel attack and potentially recover ECDSA nonces.
The original advisory is available at:
Yuval Yarom and Naomi Benger reported this vulnerability.
A local user can recover ECDSA nonces.|
FreeBSD has issued a fix.|
The FreeBSD advisory is available at:
Vendor URL: www.openssl.org/news/secadv_20140605.txt (Links to External Site)
Access control error, State error|
|Underlying OS: UNIX (FreeBSD)|
|Underlying OS Comments: 8.3, 8.4, 9.1, 9.2, 10.0|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl [REVISED]|
-----BEGIN PGP SIGNED MESSAGE-----
FreeBSD-SA-14:06.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL multiple vulnerabilities
Affects: All supported versions of FreeBSD.
Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE)
2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1)
2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE)
2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4)
2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11)
2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE)
2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8)
2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15)
CVE Name: CVE-2014-0076, CVE-2014-0160
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
0. Revision History
v1.0 2014-04-08 Initial release.
v1.1 2014-04-08 Added patch applying step in Solutions section.
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the
usage of keep-alive functionality without performing a renegotiation and a
basis for path MTU (PMTU) discovery for DTLS.
Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the
Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography.
OpenSSL uses the Montgomery Ladder Approach to compute scalar multiplication
in a fixed amount of time, which does not leak any information through timing
II. Problem Description
The code used to handle the Heartbeat Extension does not do sufficient boundary
checks on record length, which allows reading beyond the actual payload.
[CVE-2014-0160]. Affects FreeBSD 10.0 only.
A flaw in the implementation of Montgomery Ladder Approach would create a
side-channel that leaks sensitive timing information. [CVE-2014-0076]
An attacker who can send a specifically crafted packet to TLS server or client
with an established connection can reveal up to 64k of memory of the remote
system. Such memory might contain sensitive information, including key
material, protected content, etc. which could be directly useful, or might
be leveraged to obtain elevated privileges. [CVE-2014-0160]
A local attacker might be able to snoop a signing process and might recover
the signing key from it. [CVE-2014-0076]
No workaround is available, but systems that do not use OpenSSL to implement
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols implementation and do not use the ECDSA implementation from OpenSSL
are not vulnerable.
Perform one of the following:
1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 8.x and FreeBSD 9.x]
# fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch.asc
# gpg --verify openssl.patch.asc
# fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch
# fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch.asc
# gpg --verify openssl-10.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.
Restart all deamons using the library, or reboot the system.
3) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
IMPORTANT: the update procedure above does not update OpenSSL from the
Ports Collection or from a package, known as security/openssl, which
has to be updated separately via ports or package. Users who have
installed security/openssl should update to at least version 1.0.1_10.
VI. Correction details
The following list contains the correction revision numbers for each
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
Or visit the following URL, replacing NNNNNN with the revision number:
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)
-----END PGP SIGNATURE-----
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "email@example.com"