Lucene search

K
archlinuxArchLinuxASA-201901-11
HistoryJan 24, 2019 - 12:00 a.m.

[ASA-201901-11] go: private key recovery

2019-01-2400:00:00
security.archlinux.org
24
go package
private key recovery
vulnerability
elliptic curves
remote attacker
cpu
tls handshakes.

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS

0.017

Percentile

88.1%

Arch Linux Security Advisory ASA-201901-11

Severity: Medium
Date : 2019-01-24
CVE-ID : CVE-2019-6486
Package : go
Type : private key recovery
Remote : Yes
Link : https://security.archlinux.org/AVG-859

Summary

The package go before version 2:1.11.5-1 is vulnerable to private key
recovery.

Resolution

Upgrade to 2:1.11.5-1.

pacman -Syu “go>=2:1.11.5-1”

The problem has been fixed upstream in version 1.11.5.

Workaround

None.

Description

Go before versions 1.10.8 and 1.11.5 has a vulnerability in the
crypto/elliptic implementations of the P-521 and P-384 elliptic curves.
A remote attacker can exploit this by crafting inputs that consume
excessive amounts of CPU. These inputs might be delivered via TLS
handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA
signatures. In some cases, if an ECDH private key is reused more than
once, the attack can also lead to key recovery.

Impact

A remote attacker can crash the system with maliciously crafted input,
or recover the private key.

References

https://groups.google.com/forum/m/#!topic/golang-announce/mVeX35iXuSw
https://github.com/golang/go/issues/29903
https://github.com/golang/go/commit/42b42f71
https://security.archlinux.org/CVE-2019-6486

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanygo< 2:1.11.5-1UNKNOWN

CVSS2

6.4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

EPSS

0.017

Percentile

88.1%