[Pkg-openssl-devel] openssl 1.0.0e vulnerability
Thijs Kinkhorst
thijs at debian.org
Fri Oct 7 07:17:51 UTC 2011
On Thu, October 6, 2011 18:15, Julian Gilbey wrote:
> On Thu, Oct 06, 2011 at 02:23:31PM +0200, Florian Weimer wrote:
>> * Julian Gilbey:
>>
>> > In the file crypto/rsa/rsa_eay.c, at line 850, if the CRT-based
>> > modular exponentiation has failed, a second attempt is tried using
>> > bn_mod_exp (line 862 or 866). However, the results of this attempt
>> > are NOT then verified. The paper then describes how this weakness can
>> > be exploited.
>>
>> IIRC, this requires faulty hardware, on a very thin line where the
>> system still mostly works, but the modular exponentiation fail
>> nevertheless. This seems rather unlikely. In addition, such an
>> attack wouldn't work against TLS servers because they do not perform
>> RSA signing.
>>
>> I always thought that this paper was a great compliment to the OpenSSL
>> authors---usually, you don't have to resort to faulty hardware to
>> uncover security issues. 8-)
>
> :-)
>
> A careful reading of the paper shows that the hardware was perfectly
> functional but forced to fail in a very specific way due to carefully
> changing the input power voltage. The only reason that this attack
> was capable of being successful was because the openssl code took care
> to protect against the possibility of the CRT approach being
> compromised but not the fallback method. It seems fairly
> straightforward to fix this potential hole, especially as this exploit
> is now available for all to read.
If I read that this attack vector requires carefully changing the input
voltage, I'm tempted to conclude that (a) it would be good if upstream
addressed this and that fix would trickle down to Debian over time, and
(b) it seems rare enough not to issue a DSA for it.
Opinions?
Thijs
More information about the Pkg-openssl-devel
mailing list