Billy Bob Brumley and Nicola Tuveri discovered an attack against OpenSSL's implementation of the ECDSA signature algorithm. They succeeded in remotely obtaining a private key of a TLS server using ECDSA. The details can be found in their paper "Remote Timing Attacks are Still Practical": http://eprint.iacr.org/2011/232 http://eprint.iacr.org/2011/232.pdf http://www.kb.cert.org/vuls/id/536044 A fix based proposed by paper authors was committed to upstream CVS: http://cvs.openssl.org/chngview?cn=20892 However, there have been some concerns raised about the reversed #ifdef / #ifndef: http://marc.info/?l=openssl-dev&m=130650560927163&w=2 Acknowledgement: Red Hat would like to thank the CERT/CC for reporting this issue. The CERT/CC acknowledges Billy Bob Brumley and Nicola Tuveri as the original reporters.
Statement: Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6, as they do not include the support for the elliptic curve cryptography.
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-1945 to the following vulnerability: Name: CVE-2011-1945 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1945 Assigned: 20110509 Reference: http://eprint.iacr.org/2011/232.pdf Reference: http://www.kb.cert.org/vuls/id/MAPG-8FENZ3 Reference: CERT-VN:VU#536044 Reference: http://www.kb.cert.org/vuls/id/536044 The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.