Red Hat Bugzilla – Bug 86112
New timing attack on OpenSSL applications
Last modified: 2007-04-18 12:52:00 EDT
Description of problem:
Timing attack on RSA decryption because RSA blinding isn't
used in all applications (mod_ssl etc)
Version-Release number of selected component (if applicable):
This affects most applications that link to OpenSSL
In order to exploit this issue you need to be local to the machine or be on a
network that enables you to reliably observe sub 1ms timing differences.
Note that enabling RSA blinding is not trivial
(also note that this issue was entered for OpenSSL under Red Hat Linux 8.0 but
applies to all applications linked to OpenSSL under Red Hat Linux 6.2, 7, 7.1,
7.2, 8.0 and the Enterprise Linux family.
This is CAN-2003-0147. The OpenSSL team are currently working on a patch that
enables RSA blinding by default, therefore only OpenSSL will need to be updated
and applications linked to it will not.
Was fixed by http://rhn.redhat.com/errata/RHSA-2003-101.html