Bug 2338999 (CVE-2024-13176)

Summary: CVE-2024-13176 openssl: Timing side-channel in ECDSA signature computation
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: adsanap, adudiak, akostadi, amasferr, cbartlet, chazlett, crizzo, csutherl, dbosanac, dfreiber, dmayorov, drow, jburrell, jcantril, jclere, jlledo, jmitchel, jreimann, jtanner, jvasik, kaycoth, kshier, lball, lmlikith, mcascell, mdessi, mmakovy, mrizzi, ngough, omaciel, pcattana, pjindal, plodge, rblanco, rojacob, stcannon, szappis, tjochec, vchlup, veshanka, vkumar, vmugicag, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A timing side-channel vulnerability was found in OpenSSL. This vulnerability allows an attacker to recover the private key. However, measuring the timing would require local access to the signing application or a fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This issue can happen with significant probability only for some of the supported elliptic curves. In particular, the NIST P-521 curve is affected.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2360700    
Bug Blocks:    

Description OSIDB Bzimport 2025-01-20 14:01:22 UTC 
Issue summary: A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring
the timing would require either local access to the signing application or
a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the attacker
process must either be located in the same physical computer or must
have a very fast network connection with low latency. For that reason
the severity of this vulnerability is Low.
Comment 6 errata-xmlrpc 2025-09-11 14:36:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:15699 https://access.redhat.com/errata/RHSA-2025:15699
Comment 7 errata-xmlrpc 2025-09-17 08:03:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:16046 https://access.redhat.com/errata/RHSA-2025:16046