Bug 757909 (CVE-2011-4354) - CVE-2011-4354 openssl: ECC private leak (disclosure of TLS server's private key)
Summary: CVE-2011-4354 openssl: ECC private leak (disclosure of TLS server's private key)
Alias: CVE-2011-4354
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: Embargoed758255
TreeView+ depends on / blocked
Reported: 2011-11-28 22:55 UTC by Vincent Danen
Modified: 2021-02-24 13:42 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-11-29 21:21:11 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-11-28 22:55:03 UTC
It was reported that OpenSSL 0.9.8g (only in the 32-bit build) was vulnerable to a bug where, in extremely rare instances, the bug would cause incorrect computation of finite field operations when using NIST elliptic curves P-256 or P-384.  This flaw could allow for the retrieval of a TLS server's private key.  A paper was published [1] describing the attack.

There are some very specific pre-requisites for a successful attack:

- OpenSSL 0.9.8g (32-bit build)
- use of NIST elliptic curve P-256 and/or P-384
- the use of ECDH family ciphers and/or the use of ECDHE family ciphers *and* the lack of SSL_OP_SINGLE_ECDH_USE context option

This bug is corrected in OpenSSL >= 0.9.8h and does not affect earlier versions of OpenSSL than 0.9.8g.  A series of patches [2] fix this upstream (starting with r.1.15).

[1] http://eprint.iacr.org/2011/633
[2] http://cvs.openssl.org/rlog?f=openssl%2Fcrypto%2Fbn%2Fbn_nist.c

Comment 12 Vincent Danen 2011-11-29 21:21:11 UTC

This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5, or 6 as they did not include support for the ECDH or ECDHE ciphers.

Note You need to log in before you can comment on or make changes to this bug.