Bug 1343400 (CVE-2016-2178)

Summary: CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apmukher, bbaranow, bmaxwell, cdewolf, csutherl, dandread, darran.lofthouse, dknox, dosoudil, erik-fedora, gzaronik, jaeshin, jawilson, jclere, kent, ktietz, lgao, marcandre.lureau, mbabacek, mturk, myarboro, pgier, psakar, pslavice, redhat-bugzilla, rjones, rnetuka, rsvoboda, sardella, slawomir, tmraz, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openssl 1.0.1u, openssl 1.0.2i Doc Type: If docs needed, set a value
Doc Text:
It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:53:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1343401, 1343402, 1343403, 1377623, 1377624, 1377625, 1377626, 1381809, 1381810    
Bug Blocks: 1343404, 1367347, 1395463, 1461790, 1479475    

Description Andrej Nemec 2016-06-07 09:12:18 UTC 
Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key.

Upstream fix:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=d168705e11526a4b487640c7cac5b53ee3646cbc
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=3681a4558c13198944e6f7f149c4be188e076e14
Comment 1 Andrej Nemec 2016-06-07 09:13:06 UTC 
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1343403]
Comment 2 Andrej Nemec 2016-06-07 09:13:20 UTC 
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1343401]
Comment 3 Andrej Nemec 2016-06-07 09:13:31 UTC 
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1343402]
Comment 5 Andrej Nemec 2016-06-08 15:49:23 UTC 
Lowering the initial impact because of the nature of time-channel attack.
Comment 6 Andrej Nemec 2016-06-09 07:56:49 UTC 
References (thread contains a discussion about severity of this issue):

http://seclists.org/oss-sec/2016/q2/493
Comment 8 Tomas Hoger 2016-09-19 20:17:01 UTC 
Details of the issue and the attack taking advantage of it:

http://eprint.iacr.org/2016/594
http://eprint.iacr.org/2016/594.pdf
Comment 10 Tomas Hoger 2016-09-22 12:00:58 UTC 
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i.


Constant time flag not preserved in DSA signing (CVE-2016-2178)
===============================================================

Severity: Low

Operations in the DSA signing algorithm should run in constant time in order to
avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
a non-constant time codepath is followed for certain operations. This has been
demonstrated through a cache-timing attack to be sufficient for an attacker to
recover the private DSA key.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 23rd May 2016 by César Pereida (Aalto
University), Billy Brumley (Tampere University of Technology), and Yuval Yarom
(The University of Adelaide and NICTA). The fix was developed by César Pereida.


External References:

https://www.openssl.org/news/secadv/20160922.txt
http://eprint.iacr.org/2016/594
Comment 11 errata-xmlrpc 2016-09-27 13:53:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html
Comment 13 errata-xmlrpc 2016-12-15 22:11:29 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html
Comment 14 errata-xmlrpc 2017-01-25 20:06:19 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:0194 https://access.redhat.com/errata/RHSA-2017:0194
Comment 15 errata-xmlrpc 2017-01-25 20:07:41 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0193
Comment 17 errata-xmlrpc 2017-06-28 20:01:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659
Comment 18 errata-xmlrpc 2017-06-28 20:20:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658