Bug 1990591 (CVE-2021-3798)

Summary: CVE-2021-3798 openCryptoki: Soft token does not check if an EC key is valid
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dan, jjelen, plautrba, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 10:48:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1959894, 1959936, 1979173, 1990592, 1998233, 1998234    
Bug Blocks: 1990593    

Description Guilherme de Almeida Suckevicz 2021-08-05 16:55:52 UTC
It was discovered that openCryptoki incorrectly handled certain EC keys. An attacker could possibly use this issue to cause a invalid curve attack.


Upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-08-05 16:56:05 UTC
Created openCryptoki tracking bugs for this issue:

Affects: fedora-all [bug 1990592]

Comment 5 Mauro Matteo Cascella 2021-09-10 15:31:55 UTC
As mentioned in the Ubuntu launchpad bug [1] EC support has been introduced in the Soft token with OCK 3.15.0, so this issue only affects openCryptoki versions >= 3.15.0 while earlier openCryptoki releases are not affected. In particular, EC support was introduced through commit [2].

[1] https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1928780
[2] https://github.com/opencryptoki/opencryptoki/commit/a179fd01a265a98194d9c06ec5958da1dd2ecae3

Comment 7 Mauro Matteo Cascella 2021-09-13 10:19:59 UTC
In an invalid curve attack, the attacker is able to trick the vulnerable application into using curve points outside of the intended elliptic curve, making it possible to (potentially) extract the private key. A cryptographic library implementing El­lip­tic Curve Cryp­to­gra­phy (ECC) needs to make sure that only valid curve points will be processed, while invalid points are detected and discarded accordingly. This is what openCryptoki's patch aims to do by adding the missing check in fill_ec_key_from_pubkey() and fill_ec_key_from_privkey().

Comment 9 Mauro Matteo Cascella 2021-09-13 13:33:50 UTC
This issue has been addressed in Red Hat Enterprise Linux 8 via RHBA-2021:3054: