Bug 1180240 (CVE-2014-3570)

Summary: CVE-2014-3570 openssl: Bignum squaring may produce incorrect results
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: carnil, cdewolf, chazlett, chrisw, dandread, darran.lofthouse, erich, grocha, jason.greene, jawilson, jclere, jdoyle, john.haxby, lgao, myarboro, nlevinki, pgier, pslavice, rfortier, rhs-bugs, rsvoboda, ssaha, tmraz, vbellur, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: OpenSSL 1.0.1k, OpenSSL 1.0.0p, OpenSSL 0.9.8zd Doc Type: Bug Fix
Doc Text:
It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:37:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1181013, 1181015, 1181016, 1181017, 1181018, 1182870, 1182871, 1182872    
Bug Blocks: 1180194, 1192260, 1192263, 1212496    

Description Vasyl Kaigorodov 2015-01-08 17:01:01 UTC 
OpenSSL released security advisory [1] which fixes the below issue:

Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64. This bug occurs at random with a very
low probability, and is not known to be exploitable in any way, though
its exact impact is difficult to determine. The following has been
determined:

*) The probability of BN_sqr producing an incorrect result at random
is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and
1/2^128 on affected 64-bit platforms.
*) On most platforms, RSA follows a different code path and RSA
operations are not affected at all. For the remaining platforms
(e.g. OpenSSL built without assembly support), pre-existing
countermeasures thwart bug attacks [2].
*) Static ECDH is theoretically affected: it is possible to construct
elliptic curve points that would falsely appear to be on the given
curve. However, there is no known computationally feasible way to
construct such points with low order, and so the security of static
ECDH private keys is believed to be unaffected.
*) Other routines known to be theoretically affected are modular
exponentiation, primality testing, DSA, RSA blinding, JPAKE and
SRP. No exploits are known and straightforward bug attacks fail -
either the attacker cannot control when the bug triggers, or no
private key material is involved.

[1]: https://www.openssl.org/news/secadv_20150108.txt
[2]: http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf
Comment 1 Vincent Danen 2015-01-08 18:50:49 UTC 
Upstream commit that looks to fix the problem:

https://github.com/openssl/openssl/commit/a7a44ba55cb4f884c6bc9ceac90072dea38e66d0


External References:

https://www.openssl.org/news/secadv_20150108.txt
Comment 2 Huzaifa S. Sidhpurwala 2015-01-12 08:30:07 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1181013]
Comment 4 Fedora Update System 2015-01-13 00:02:38 UTC 
openssl-1.0.1k-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2015-01-20 21:06:12 UTC 
openssl-1.0.1e-41.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 errata-xmlrpc 2015-01-21 21:29:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:0066 https://rhn.redhat.com/errata/RHSA-2015-0066.html
Comment 13 errata-xmlrpc 2015-04-16 15:39:22 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
Comment 16 errata-xmlrpc 2016-08-22 18:08:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.1

Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html
Comment 17 Andrej Nemec 2017-09-08 12:23:16 UTC 
Statement:

This issue affects the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact and does not plan to address this flaw for the above components in any future security updates.

This issue affects the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.