Bug 570942 (CVE-2010-0928) - CVE-2010-0928 openssl: RSA authentication weakness
Summary: CVE-2010-0928 openssl: RSA authentication weakness
Alias: CVE-2010-0928
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://web.nvd.nist.gov/view/vuln/det...
Depends On:
TreeView+ depends on / blocked
Reported: 2010-03-05 21:52 UTC by Vincent Danen
Modified: 2021-11-12 20:04 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-11-06 06:49:14 UTC

Attachments (Terms of Use)

Description Vincent Danen 2010-03-05 21:52:54 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0928 to
the following vulnerability:

Name: CVE-2010-0928
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0928
Assigned: 20100305
Reference: MISC: http://www.eecs.umich.edu/%7Evaleria/research/publications/DATE10RSA.pdf
Reference: MISC: http://www.networkworld.com/news/2010/030410-rsa-security-attack.html

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx
Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm
for certain signature calculations, and does not verify the signature
before providing it to a caller, which makes it easier for physically
proximate attackers to determine the private key via a modified supply
voltage for the microprocessor, related to a "fault-based attack."

Comment 1 Mark J. Cox 2010-03-08 09:59:41 UTC
CVE-2010-0928 describes a fault-based attack on OpenSSL where an attacker has precise control over the target system environment in order to be able to introduce faults through power supply manipulation. 

The Red Hat Security Response Team has rated this issue as having low security impact, as the attack is not a viable threat to OpenSSL as used in Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.