Bug 570942 (CVE-2010-0928)

Summary: CVE-2010-0928 openssl: RSA authentication weakness
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mjc, nalin, qe-baseos-security, tmraz
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0928
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-06 06:49:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2010-03-05 21:52:54 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0928 to
the following vulnerability:

Name: CVE-2010-0928
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0928
Assigned: 20100305
Reference: MISC: http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf
Reference: MISC: http://www.networkworld.com/news/2010/030410-rsa-security-attack.html

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx
Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm
for certain signature calculations, and does not verify the signature
before providing it to a caller, which makes it easier for physically
proximate attackers to determine the private key via a modified supply
voltage for the microprocessor, related to a "fault-based attack."
Comment 1 Mark J. Cox 2010-03-08 09:59:41 UTC 
CVE-2010-0928 describes a fault-based attack on OpenSSL where an attacker has precise control over the target system environment in order to be able to introduce faults through power supply manipulation. 

The Red Hat Security Response Team has rated this issue as having low security impact, as the attack is not a viable threat to OpenSSL as used in Red Hat products.