OpenSSL RSA Key Generation BN_mod_inverse() and BN_mod_exp_mont() Cache Timing Attack Lets Local Users Recover the Private Key
SecurityTracker Alert ID: 1040685|
SecurityTracker URL: http://securitytracker.com/id/1040685
(Links to External Site)
Date: Apr 16 2018
Disclosure of authentication information|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability was reported in OpenSSL. A local user can recover the private key in certain cases.|
A local user that can conduct a cache timing side channel attack against the RSA key generation algorithm's BN_mod_inverse() and BN_mod_exp_mont() functions may be able to recover the private key.
The vendor was notified on April 4, 2018.
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia, and Luis Manuel Alvarez Tapia reported this vulnerability.
A local user that can conduct a cache timing attack on the target system may be able to recover the private key in certain cases.|
The vendor has issued a source code fix (OpenSSL git repository commit 6939eab03 (for version 1.1.0) and commit 349a41da1 (for version 1.0.2)).|
The fix will be included in future versions 1.1.0i and 1.0.2p.
The vendor advisory is available at:
Vendor URL: www.openssl.org/news/secadv/20180416.txt (Links to External Site)
Access control error, State error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [openssl-announce] OpenSSL Security Advisory|
-----BEGIN PGP SIGNED MESSAGE-----
OpenSSL Security Advisory [16 Apr 2018]
Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a
cache timing side channel attack. An attacker with sufficient access to mount
cache timing attacks during the RSA key generation process could recover the
Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 or 1.0.2 at this time. The fix will be included in OpenSSL 1.1.0i
and OpenSSL 1.0.2p when they become available. The fix is also available in
commit 6939eab03 (for 1.1.0) and commit 349a41da1 (for 1.0.2) in the OpenSSL git
This issue was reported to OpenSSL on 4th April 2018 by Alejandro Cabrera
Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia.
The fix was developed by Billy Brumley.
URL for this Security Advisory:
Note: the online version of the advisory may be updated with additional details
For details of OpenSSL severity classifications please see:
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce