SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
OpenSSL ECDSA Signature Algorithm Lets Remote Users Obtain Passwords on the Target System in Certain Cases
SecurityTracker Alert ID:  1041986
SecurityTracker URL:  http://securitytracker.com/id/1041986
CVE Reference:   CVE-2018-0735   (Links to External Site)
Date:  Oct 29 2018
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenSSL. A remote user can obtain passwords on the target system in certain cases.

A remote user that can conduct a man-in-the-middle attack can exploit a timing vulnerability in its ECDSA signature algorithm to cause the target system to disclose private keys.

Samuel Weiser reported this vulnerability.

Impact:   A remote user can obtain passwords on the target system in certain cases.
Solution:   The vendor has issued a source code fix.

The vendor advisory is available at:

https://www.openssl.org/news/secadv/20181029.txt

Vendor URL:  www.openssl.org/news/secadv/20181029.txt (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [openssl-announce] Low severity timing attack in ECDSA (CVE-2018-0735)

Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
==================================================================

Severity: Low

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a
timing side channel attack. An attacker could use variations in the signing
algorithm to recover the private key.

Due to the low severity of this issue we are not issuing a new release
of OpenSSL 1.1.1 or 1.1.0 at this time. The fix will be included in
OpenSSL 1.1.1a and OpenSSL 1.1.0j when they become available. The fix
is also available in commit b1d6d55ece (for 1.1.1) and commit 56fb454d28
(for 1.1.0) in the OpenSSL git repository.

This issue was reported to OpenSSL on 25th October 2018 by Samuel Weiser.

References
==========

URL for this Security Advisory:
https://www.openssl.org/news/secadv/20181029.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html



Pauli
-- 
Oracle
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia
-- 
openssl-announce mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC