SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL DSA Signing Constant Timing Bug May Let Remote Users Obtain Potentially Sensitive Information on the Target System
SecurityTracker Alert ID:  1036054
SecurityTracker URL:  http://securitytracker.com/id/1036054
CVE Reference:   CVE-2016-2178   (Links to External Site)
Date:  Jun 8 2016
Impact:   Disclosure of authentication information, Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenSSL. A remote user can obtain potentially sensitive information on the target system.

The DSA signing algorithm may fail to run in constant time when the BN_FLG_CONSTTIME flag is set. A remote user may be able to exploit this to obtain potentially sensitive timing information regarding the cryptographic signature process, including the DSA private key.

The original advisory is available at:

http://eprint.iacr.org/2016/594.pdf

Cesar Pereida (Aalto University), Billy Brumley (Tampere University of Technology), and Yuval Yarom (The University of Adelaide and NICTA) reported this vulnerability.
Impact:   A remote user can obtain potentially sensitive timing information regarding the cryptographic signature process, including the DSA private key.
Solution:   The vendor has issued a source code fix, available at:

https://git.openssl.org/?p=openssl.git;a=commit;h=399944622df7bd81af62e67ea967c470534090e2
Vendor URL:  openssl.org/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 23 2016 (FreeBSD Issues Fix) OpenSSL DSA Signing Constant Timing Bug May Let Remote Users Obtain Potentially Sensitive Information on the Target System
FreeBSD has issued a fix for FreeBSD 9.3, 10.1, 10.2, 10.3, and 11.0.
Oct 17 2016 (Oracle Issues Fix for Oracle Linux) OpenSSL DSA Signing Constant Timing Bug May Let Remote Users Obtain Potentially Sensitive Information on the Target System
Oracle has issued a fix for Oracle Linux 5.
Oct 27 2016 (HP Issues Advisory for HPE IceWall) OpenSSL DSA Signing Constant Timing Bug May Let Remote Users Obtain Potentially Sensitive Information on the Target System
HPE has issued an advisory for HPE IceWall.
Nov 15 2016 (IBM Issues Fix for IBM AIX) OpenSSL DSA Signing Constant Timing Bug May Let Remote Users Obtain Potentially Sensitive Information on the Target System
IBM has issued a fix for IBM AIX 5.3, 6.1, 7.1, and 7.2.
Jan 26 2017 (Red Hat Issues Fix for Red Hat JBoss Core Services) OpenSSL DSA Signing Constant Timing Bug May Let Remote Users Obtain Potentially Sensitive Information on the Target System
Red Hat has issued a fix for Red Hat JBoss Core Services for Red Hat Enterprise Linux 6 and 7.
Mar 22 2017 (IBM Issues Fix for IBM Rational ClearQuest) OpenSSL DSA Signing Constant Timing Bug May Let Remote Users Obtain Potentially Sensitive Information on the Target System
IBM has issued a fix for IBM Rational ClearQuest.


 Source Message Contents


[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC