Bug 1990591 (CVE-2021-3798) - CVE-2021-3798 openCryptoki: Soft token does not check if an EC key is valid
Summary: CVE-2021-3798 openCryptoki: Soft token does not check if an EC key is valid
Alias: CVE-2021-3798
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1959894 1959936 1979173 1990592 1998233 1998234
Blocks: 1990593
TreeView+ depends on / blocked
Reported: 2021-08-05 16:55 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:32 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack.
Clone Of:
Last Closed: 2021-10-28 10:48:15 UTC

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-08-05 16:55:52 UTC
It was discovered that openCryptoki incorrectly handled certain EC keys. An attacker could possibly use this issue to cause a invalid curve attack.


Upstream patch:

Comment 1 Guilherme de Almeida Suckevicz 2021-08-05 16:56:05 UTC
Created openCryptoki tracking bugs for this issue:

Affects: fedora-all [bug 1990592]

Comment 5 Mauro Matteo Cascella 2021-09-10 15:31:55 UTC
As mentioned in the Ubuntu launchpad bug [1] EC support has been introduced in the Soft token with OCK 3.15.0, so this issue only affects openCryptoki versions >= 3.15.0 while earlier openCryptoki releases are not affected. In particular, EC support was introduced through commit [2].

[1] https://bugs.launchpad.net/ubuntu/+source/opencryptoki/+bug/1928780
[2] https://github.com/opencryptoki/opencryptoki/commit/a179fd01a265a98194d9c06ec5958da1dd2ecae3

Comment 7 Mauro Matteo Cascella 2021-09-13 10:19:59 UTC
In an invalid curve attack, the attacker is able to trick the vulnerable application into using curve points outside of the intended elliptic curve, making it possible to (potentially) extract the private key. A cryptographic library implementing El­lip­tic Curve Cryp­to­gra­phy (ECC) needs to make sure that only valid curve points will be processed, while invalid points are detected and discarded accordingly. This is what openCryptoki's patch aims to do by adding the missing check in fill_ec_key_from_pubkey() and fill_ec_key_from_privkey().

Comment 9 Mauro Matteo Cascella 2021-09-13 13:33:50 UTC
This issue has been addressed in Red Hat Enterprise Linux 8 via RHBA-2021:3054:


Note You need to log in before you can comment on or make changes to this bug.