[Pkg-openssl-devel] openssl 1.0.0e vulnerability

Thijs Kinkhorst thijs at debian.org
Thu Oct 6 12:07:50 UTC 2011


On Thu, October 6, 2011 14:01, Julian Gilbey wrote:
> Package: openssl 1.0.0e
>
> [This could be submitted as a bug against openssl since the attack is
> public.  Package maintainers copied in.]
>
> The Wikipedia page http://en.wikipedia.org/wiki/RSA refers to a paper
> http://www.eecs.umich.edu/~taustin/papers/DATE10-rsa.pdf in which a
> fault-based attack on RSA is described.  The authors point out a
> significant security flaw in openssl 0.9.8i which appears to be still
> present in 1.0.0e.
>
> I think this is where the flaw they refer to lies:
>
> In the file crypto/rsa/rsa_eay.c, at line 850, if the CRT-based
> modular exponentiation has failed, a second attempt is tried using
> bn_mod_exp (line 862 or 866).  However, the results of this attempt
> are NOT then verified.  The paper then describes how this weakness can
> be exploited.
>
> The fix appears to be straightforward: once this alternative path is
> used, the result should also be verified as it was on lines 839-850
> before returning it.  It verification fails, then the function should
> return an error.

Thanks. Kurt, do you have more information about this and/or can you take
this up with upstream?


Cheers,
Thijs



More information about the Pkg-openssl-devel mailing list