Bug 757909 - (CVE-2011-4354) CVE-2011-4354 openssl: ECC private leak (disclosure of TLS server's private key)
CVE-2011-4354 openssl: ECC private leak (disclosure of TLS server's private key)
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On:
Blocks: 758255
  Show dependency treegraph
Reported: 2011-11-28 17:55 EST by Vincent Danen
Modified: 2011-11-29 16:21 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-11-29 16:21:11 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-11-28 17:55:03 EST
It was reported that OpenSSL 0.9.8g (only in the 32-bit build) was vulnerable to a bug where, in extremely rare instances, the bug would cause incorrect computation of finite field operations when using NIST elliptic curves P-256 or P-384.  This flaw could allow for the retrieval of a TLS server's private key.  A paper was published [1] describing the attack.

There are some very specific pre-requisites for a successful attack:

- OpenSSL 0.9.8g (32-bit build)
- use of NIST elliptic curve P-256 and/or P-384
- the use of ECDH family ciphers and/or the use of ECDHE family ciphers *and* the lack of SSL_OP_SINGLE_ECDH_USE context option

This bug is corrected in OpenSSL >= 0.9.8h and does not affect earlier versions of OpenSSL than 0.9.8g.  A series of patches [2] fix this upstream (starting with r.1.15).

[1] http://eprint.iacr.org/2011/633
[2] http://cvs.openssl.org/rlog?f=openssl%2Fcrypto%2Fbn%2Fbn_nist.c
Comment 12 Vincent Danen 2011-11-29 16:21:11 EST

This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6 as they did not include support for the ECDH or ECDHE ciphers.

Note You need to log in before you can comment on or make changes to this bug.