Bug 709021 (CVE-2011-1945)

Summary: CVE-2011-1945 openssl: ECDSA private key leak through a remote timing attack
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: tmraz, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-30 12:23:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tomas Hoger 2011-05-30 12:21:21 UTC 
Billy Bob Brumley and Nicola Tuveri discovered an attack against OpenSSL's implementation of the ECDSA signature algorithm.  They succeeded in remotely obtaining a private key of a TLS server using ECDSA.  The details can be found in their paper "Remote Timing Attacks are Still Practical":

http://eprint.iacr.org/2011/232
http://eprint.iacr.org/2011/232.pdf

http://www.kb.cert.org/vuls/id/536044

A fix based proposed by paper authors was committed to upstream CVS:
http://cvs.openssl.org/chngview?cn=20892

However, there have been some concerns raised about the reversed #ifdef / #ifndef:
http://marc.info/?l=openssl-dev&m=130650560927163&w=2

Acknowledgement:

Red Hat would like to thank the CERT/CC for reporting this issue. The CERT/CC acknowledges Billy Bob Brumley and Nicola Tuveri as the original reporters.
Comment 1 Tomas Hoger 2011-05-30 12:23:13 UTC 
Statement:

Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6, as they do not include the support for the elliptic curve cryptography.
Comment 2 Vincent Danen 2011-05-31 21:40:31 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1945 to
the following vulnerability:

Name: CVE-2011-1945
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1945
Assigned: 20110509
Reference: http://eprint.iacr.org/2011/232.pdf
Reference: http://www.kb.cert.org/vuls/id/MAPG-8FENZ3
Reference: CERT-VN:VU#536044
Reference: http://www.kb.cert.org/vuls/id/536044

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and
earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA)
is used for the ECDHE_ECDSA cipher suite, does not properly implement
curves over binary fields, which makes it easier for context-dependent
attackers to determine private keys via a timing attack and a lattice
calculation.