SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |   



Category:   Application (VPN)  >   OpenSSL Vendors:   OpenSSL.org
(Oracle Issues Fix for Oracle Linux) OpenSSL RSA Key Generation BN_mod_inverse() and BN_mod_exp_mont() Cache Timing Attack Lets Local Users Recover the Private Key
SecurityTracker Alert ID:  1042068
SecurityTracker URL:  https://securitytracker.com/id/1042068
CVE Reference:   CVE-2018-0737   (Links to External Site)
Date:  Nov 12 2018
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in OpenSSL. A local user can recover the private key in certain cases.

A local user that can conduct a cache timing side channel attack against the RSA key generation algorithm's BN_mod_inverse() and BN_mod_exp_mont() functions may be able to recover the private key.

The vendor was notified on April 4, 2018.

Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia, and Luis Manuel Alvarez Tapia reported this vulnerability.

Impact:   A local user that can conduct a cache timing attack on the target system may be able to recover the private key in certain cases.
Solution:   Oracle has issued a fix.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2018-3221.html

Vendor URL:  linux.oracle.com/errata/ELSA-2018-3221.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Apr 16 2018 OpenSSL RSA Key Generation BN_mod_inverse() and BN_mod_exp_mont() Cache Timing Attack Lets Local Users Recover the Private Key



 Source Message Contents

Subject:  [El-errata] ELSA-2018-3221 Moderate: Oracle Linux 7 openssl security, bug fix, and enhancement update


[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search


Content previously copyright SecurityGlobal.net LLC placed in the public domain on December 31, 2019.