Bug 1343400 (CVE-2016-2178) - CVE-2016-2178 openssl: Non-constant time codepath followed for certain operations in DSA implementation
Summary: CVE-2016-2178 openssl: Non-constant time codepath followed for certain operat...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2178
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1343401 1343402 1343403 1377623 1377624 1377625 1377626 1381809 1381810
Blocks: 1343404 1367347 1395463 1461790 1479475
TreeView+ depends on / blocked
 
Reported: 2016-06-07 09:12 UTC by Andrej Nemec
Modified: 2019-09-29 13:50 UTC (History)
35 users (show)

Fixed In Version: openssl 1.0.1u, openssl 1.0.2i
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that OpenSSL did not always use constant time operations when computing Digital Signature Algorithm (DSA) signatures. A local attacker could possibly use this flaw to obtain a private DSA key belonging to another user or service running on the same system.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:53:19 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1940 normal SHIPPED_LIVE Important: openssl security update 2016-09-27 17:46:00 UTC
Red Hat Knowledge Base (Solution) 2662211 None None None 2016-09-28 00:45:15 UTC
Red Hat Product Errata RHSA-2016:2957 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP 2.4.23 Release 2016-12-16 03:11:19 UTC
Red Hat Product Errata RHSA-2017:0193 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Release on RHEL 6 2017-01-26 01:05:09 UTC
Red Hat Product Errata RHSA-2017:0194 normal SHIPPED_LIVE Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.23 Release on RHEL 7 2017-01-26 01:04:50 UTC
Red Hat Product Errata RHSA-2017:1658 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update 2017-06-29 00:20:17 UTC
Red Hat Product Errata RHSA-2017:1659 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.16 natives update 2017-06-28 23:59:52 UTC

Description Andrej Nemec 2016-06-07 09:12:18 UTC
Operations in the DSA signing algorithm should run in constant time in order to avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that a non-constant time codepath is followed for certain operations. This has been demonstrated through a cache-timing attack to be sufficient for an attacker to recover the private DSA key.

Upstream fix:

https://git.openssl.org/?p=openssl.git;a=commitdiff;h=d168705e11526a4b487640c7cac5b53ee3646cbc
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=3681a4558c13198944e6f7f149c4be188e076e14

Comment 1 Andrej Nemec 2016-06-07 09:13:06 UTC
Created openssl101e tracking bugs for this issue:

Affects: epel-5 [bug 1343403]

Comment 2 Andrej Nemec 2016-06-07 09:13:20 UTC
Created openssl tracking bugs for this issue:

Affects: fedora-all [bug 1343401]

Comment 3 Andrej Nemec 2016-06-07 09:13:31 UTC
Created mingw-openssl tracking bugs for this issue:

Affects: fedora-all [bug 1343402]

Comment 5 Andrej Nemec 2016-06-08 15:49:23 UTC
Lowering the initial impact because of the nature of time-channel attack.

Comment 6 Andrej Nemec 2016-06-09 07:56:49 UTC
References (thread contains a discussion about severity of this issue):

http://seclists.org/oss-sec/2016/q2/493

Comment 8 Tomas Hoger 2016-09-19 20:17:01 UTC
Details of the issue and the attack taking advantage of it:

http://eprint.iacr.org/2016/594
http://eprint.iacr.org/2016/594.pdf

Comment 10 Tomas Hoger 2016-09-22 12:00:58 UTC
Covered now by OpenSSL upstream security advisory and fixed in versions 1.0.1u and 1.0.2i.


Constant time flag not preserved in DSA signing (CVE-2016-2178)
===============================================================

Severity: Low

Operations in the DSA signing algorithm should run in constant time in order to
avoid side channel attacks. A flaw in the OpenSSL DSA implementation means that
a non-constant time codepath is followed for certain operations. This has been
demonstrated through a cache-timing attack to be sufficient for an attacker to
recover the private DSA key.

OpenSSL 1.0.2 users should upgrade to 1.0.2i
OpenSSL 1.0.1 users should upgrade to 1.0.1u

This issue was reported to OpenSSL on 23rd May 2016 by César Pereida (Aalto
University), Billy Brumley (Tampere University of Technology), and Yuval Yarom
(The University of Adelaide and NICTA). The fix was developed by César Pereida.


External References:

https://www.openssl.org/news/secadv/20160922.txt
http://eprint.iacr.org/2016/594

Comment 11 errata-xmlrpc 2016-09-27 13:53:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:1940 https://rhn.redhat.com/errata/RHSA-2016-1940.html

Comment 13 errata-xmlrpc 2016-12-15 22:11:29 UTC
This issue has been addressed in the following products:



Via RHSA-2016:2957 https://rhn.redhat.com/errata/RHSA-2016-2957.html

Comment 14 errata-xmlrpc 2017-01-25 20:06:19 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2017:0194 https://access.redhat.com/errata/RHSA-2017:0194

Comment 15 errata-xmlrpc 2017-01-25 20:07:41 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2017:0193 https://access.redhat.com/errata/RHSA-2017:0193

Comment 17 errata-xmlrpc 2017-06-28 20:01:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:1659 https://access.redhat.com/errata/RHSA-2017:1659

Comment 18 errata-xmlrpc 2017-06-28 20:20:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:1658 https://access.redhat.com/errata/RHSA-2017:1658


Note You need to log in before you can comment on or make changes to this bug.