Bug 1180240 (CVE-2014-3570) - CVE-2014-3570 openssl: Bignum squaring may produce incorrect results
Summary: CVE-2014-3570 openssl: Bignum squaring may produce incorrect results
Status: CLOSED ERRATA
Alias: CVE-2014-3570
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20150108,reported=2...
Keywords: Security
Depends On: 1181013 1181015 1181016 1181017 1181018 1182870 1182871 1182872
Blocks: 1180194 1192260 1192263 1212496
TreeView+ depends on / blocked
 
Reported: 2015-01-08 17:01 UTC by Vasyl Kaigorodov
Modified: 2019-06-11 11:13 UTC (History)
26 users (show)

(edit)
It was found that OpenSSL's BigNumber Squaring implementation could produce incorrect results under certain special conditions. This flaw could possibly affect certain OpenSSL library functionality, such as RSA blinding. Note that this issue occurred rarely and with a low probability, and there is currently no known way of exploiting it.
Clone Of:
(edit)
Last Closed: 2019-06-08 02:37:39 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0066 normal SHIPPED_LIVE Moderate: openssl security update 2015-01-22 02:28:18 UTC
Red Hat Product Errata RHSA-2015:0849 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 19:39:06 UTC
Red Hat Product Errata RHSA-2016:1650 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.1 security update 2016-08-22 22:07:23 UTC

Description Vasyl Kaigorodov 2015-01-08 17:01:01 UTC
OpenSSL released security advisory [1] which fixes the below issue:

Bignum squaring (BN_sqr) may produce incorrect results on some
platforms, including x86_64. This bug occurs at random with a very
low probability, and is not known to be exploitable in any way, though
its exact impact is difficult to determine. The following has been
determined:

*) The probability of BN_sqr producing an incorrect result at random
is very low: 1/2^64 on the single affected 32-bit platform (MIPS) and
1/2^128 on affected 64-bit platforms.
*) On most platforms, RSA follows a different code path and RSA
operations are not affected at all. For the remaining platforms
(e.g. OpenSSL built without assembly support), pre-existing
countermeasures thwart bug attacks [2].
*) Static ECDH is theoretically affected: it is possible to construct
elliptic curve points that would falsely appear to be on the given
curve. However, there is no known computationally feasible way to
construct such points with low order, and so the security of static
ECDH private keys is believed to be unaffected.
*) Other routines known to be theoretically affected are modular
exponentiation, primality testing, DSA, RSA blinding, JPAKE and
SRP. No exploits are known and straightforward bug attacks fail -
either the attacker cannot control when the bug triggers, or no
private key material is involved.

[1]: https://www.openssl.org/news/secadv_20150108.txt
[2]: http://css.csail.mit.edu/6.858/2013/readings/rsa-bug-attacks.pdf

Comment 1 Vincent Danen 2015-01-08 18:50:49 UTC
Upstream commit that looks to fix the problem:

https://github.com/openssl/openssl/commit/a7a44ba55cb4f884c6bc9ceac90072dea38e66d0


External References:

https://www.openssl.org/news/secadv_20150108.txt

Comment 2 Huzaifa S. Sidhpurwala 2015-01-12 08:30:07 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1181013]

Comment 4 Fedora Update System 2015-01-13 00:02:38 UTC
openssl-1.0.1k-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2015-01-20 21:06:12 UTC
openssl-1.0.1e-41.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 errata-xmlrpc 2015-01-21 21:29:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2015:0066 https://rhn.redhat.com/errata/RHSA-2015-0066.html

Comment 13 errata-xmlrpc 2015-04-16 15:39:22 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html

Comment 16 errata-xmlrpc 2016-08-22 18:08:48 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.1

Via RHSA-2016:1650 https://rhn.redhat.com/errata/RHSA-2016-1650.html

Comment 17 Andrej Nemec 2017-09-08 12:23:16 UTC
Statement:

This issue affects the version of openssl098e as shipped with Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this issue as having Low security impact and does not plan to address this flaw for the above components in any future security updates.

This issue affects the version of openssl and openssl097a as shipped with Red Hat Enterprise Linux 5. Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.


Note You need to log in before you can comment on or make changes to this bug.