Bug 1015946 (CVE-2013-5915)

Summary: CVE-2013-5915 polarssl: Information disclosure of RSA private keys
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: mads
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: polarssl 1.2.9, polarssl 1.3.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:30:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1015947    
Bug Blocks:    

Description Ratul Gupta 2013-10-07 05:41:54 UTC 
PolarSSL's RSA implementation was found to have a bias in the implementation of Montgomery multiplication. It can be used to mount an attack on RSA key.

Here, a third party can send arbitrary handshake messages to the server. If correctly executed, this attack could reveal the entire private RSA key after a large number of attack messages are sent to show the timing differences.

There is a known workaround to Disable CRT (#define POLARSSL_RSA_NO_CRT) in config.h. The code will be much slower, but unaffected by this attack, but best is to upgrade to either 1.2.9 or 1.3.0.

References:
https://bugs.gentoo.org/show_bug.cgi?id=487170
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5915
https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05
Comment 1 Ratul Gupta 2013-10-07 05:42:38 UTC 
Created polarssl tracking bugs for this issue:

Affects: fedora-all [bug 1015947]
Comment 2 Tomas Hoger 2013-10-08 07:05:02 UTC 
Upstream fix:
https://github.com/polarssl/polarssl/commit/43f9799ce61c6392a014d0a2ea136b4b3a9ee194

Further improved in 1.2.10 to make it thread-safe:
https://github.com/polarssl/polarssl/commit/6b06502c4b19ce40a88faca3528b9f3f0c87a755
Comment 3 Mads Kiilerich 2013-10-09 00:36:03 UTC 
All fedora versions already had 1.2.9 in testing when this was filed. It would be nice if your automatic tools were a bit smarter.
Comment 5 Fedora Update System 2014-06-19 22:55:02 UTC 
polarssl-1.2.10-2.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2014-06-19 22:57:40 UTC 
polarssl-1.2.10-2.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Product Security DevOps Team 2019-06-08 02:30:36 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.