Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <19648147a97551f40744fddcc2a58890c2b59b76.camel@openssl.org>
Date: Mon, 20 Jan 2025 14:37:26 +0100
From: Tomas Mraz <tomas@...nssl.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-13176: OpenSSL: Timing side-channel in ECDSA signature computation

OpenSSL Security Advisory [20th January 2025]
=============================================

Timing side-channel in ECDSA signature computation (CVE-2024-13176)
===================================================================

Severity: Low

Issue summary: A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring
the timing would require either local access to the signing application or
a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the attacker
process must either be located in the same physical computer or must
have a very fast network connection with low latency. For that reason
the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.4 users should upgrade to OpenSSL 3.4.1 once it is released.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.3 once it is released.

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.4 once it is released.

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.8 once it is released.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.16 once it is released.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1zb once it is released
(premium support customers only).

OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zl once it is released
(premium support customers only).

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next release of each
branch, once it becomes available. The fix is also available in commit
77c608f4 (for 3.4), commit 392dcb33 (for 3.3), commit 4b1cb94 (for 3.2),
commit 2af62e74 (for 3.1) and commit 07272b05 (for 3.0) in the OpenSSL git
repository.

It is available to premium support customers in commit a2639000 (for 1.1.1) and in
commit 0d5fd1ab (for 1.0.2).

This issue was reported on 4th September 2024 by George Pantelakis and
Alicja Kario (Red Hat).
The fix was developed by Tomas Mraz.

General Advisory Notes
======================

URL for this Security Advisory:
https://openssl-library.org/news/secadv/20250120.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://openssl-library.org/policies/general/security-policy/


Download attachment "signature.asc" of type "application/pgp-signature" (859 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.