Lucene search

Veracode Vulnerability DatabaseVERACODE:3497

HistoryFeb 08, 2017 - 2:53 a.m.

Side-channel Timing Attack

2017-02-0802:53:24

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

JSON

OpenSSL is vulnerable to side-channel timing attacks. These attacks are possible because the Montgomery ladder implementation doesn’t run swap operations in constant time which makes it easier for local users to obtain ECDSA nonce values.

CPENameOperatorVersion
openssleq1.0.0
openssleq1.0.0

CPE	Name	Operator	Version
	openssl	eq	1.0.0
	openssl	eq	1.0.0

References

advisories.mageia.org/MGASA-2014-0165.html

eprint.iacr.org/2014/140

git.openssl.org/gitweb/?p=openssl.git%3Ba=commit%3Bh=2198be3483259de374f91e57d247d0fc667aef29

git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f91e57d247d0fc667aef29

kb.juniper.net/InfoCenter/index?page=content&id=JSA10629

lists.opensuse.org/opensuse-security-announce/2016-03/msg00011.html

lists.opensuse.org/opensuse-updates/2014-04/msg00007.html

marc.info/?l=bugtraq&m=140266410314613&w=2

marc.info/?l=bugtraq&m=140317760000786&w=2

marc.info/?l=bugtraq&m=140389274407904&w=2

marc.info/?l=bugtraq&m=140389355508263&w=2

marc.info/?l=bugtraq&m=140448122410568&w=2

marc.info/?l=bugtraq&m=140482916501310&w=2

marc.info/?l=bugtraq&m=140621259019789&w=2

marc.info/?l=bugtraq&m=140752315422991&w=2

marc.info/?l=bugtraq&m=140904544427729&w=2

secunia.com/advisories/58492

secunia.com/advisories/58727

secunia.com/advisories/58939

secunia.com/advisories/59040

secunia.com/advisories/59162

secunia.com/advisories/59175

secunia.com/advisories/59264

secunia.com/advisories/59300

secunia.com/advisories/59364

secunia.com/advisories/59374

secunia.com/advisories/59413

secunia.com/advisories/59438

secunia.com/advisories/59445

secunia.com/advisories/59450

secunia.com/advisories/59454

secunia.com/advisories/59490

secunia.com/advisories/59495

secunia.com/advisories/59514

secunia.com/advisories/59655

secunia.com/advisories/59721

secunia.com/advisories/60571

support.apple.com/kb/HT6443

tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl

www-01.ibm.com/support/docview.wss?uid=isg400001841

www-01.ibm.com/support/docview.wss?uid=isg400001843

www-01.ibm.com/support/docview.wss?uid=swg21673137

www-01.ibm.com/support/docview.wss?uid=swg21676035

www-01.ibm.com/support/docview.wss?uid=swg21676062

www-01.ibm.com/support/docview.wss?uid=swg21676092

www-01.ibm.com/support/docview.wss?uid=swg21676419

www-01.ibm.com/support/docview.wss?uid=swg21676424

www-01.ibm.com/support/docview.wss?uid=swg21676501

www-01.ibm.com/support/docview.wss?uid=swg21676655

www-01.ibm.com/support/docview.wss?uid=swg21677695

www-01.ibm.com/support/docview.wss?uid=swg21677828

www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-345106.htm

www.mandriva.com/security/advisories?name=MDVSA-2014:067

www.mandriva.com/security/advisories?name=MDVSA-2015:062

www.novell.com/support/kb/doc.php?id=7015264

www.novell.com/support/kb/doc.php?id=7015300

www.openssl.org/news/secadv_20140605.txt

www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

www.securityfocus.com/bid/66363

www.ubuntu.com/usn/USN-2165-1

bugs.gentoo.org/show_bug.cgi?id=505278

bugzilla.novell.com/show_bug.cgi?id=869945

git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2198be3483259de374f91e57d247d0fc667aef29

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05301946

kc.mcafee.com/corporate/index?page=content&id=SB10075

www.openssl.org/news/secadv/20140605.txt

1.9 Low

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

JSON

Side-channel Timing Attack

References

Related