Bug 845686 - (CVE-2007-6755) VUL-0: CVE-2007-6755: Dual_EC_DRBG considered unsafe
VUL-0: CVE-2007-6755: Dual_EC_DRBG considered unsafe
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2013-10-14 06:11 UTC by Marcus Meissner
Modified: 2013-10-16 08:57 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-10-14 06:11:36 UTC

The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to cert
ain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary 
CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.

Reference: MISC: https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
Reference: MISC: http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect
Reference: MISC: http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/
Reference: MISC: http://rump2007.cr.yp.to/15-shumow.pdf
Reference: MISC: http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html
Reference: MISC: http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html
Reference: MISC: http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/
Comment 1 Marcus Meissner 2013-10-14 06:17:59 UTC
need to review our crypto modules, at least

- openssl
- gnutls (and/or dependend)
- mozilla nss
Comment 2 Shawn Chang 2013-10-14 06:52:41 UTC
according to this analysis article:

This issue will be an issue only if we are using openssl-FIPS. We have FIPS-140-2 patch for SLES11. The 1st version of Dual_EC_DRBG implementation was pushed into upstream was in 2011:

I think our openssl is safe for now. What do you think? Marcus.
Comment 3 Swamp Workflow Management 2013-10-14 22:00:10 UTC
bugbot adjusting priority
Comment 4 Marcus Meissner 2013-10-16 08:56:30 UTC
openssl - SLE11 SP1 , SP2, SP3 - Dual_EC_DRBG not contained in source
gnutls - SLE11 GA and later - Dual_EC_DRBG not contained in source

openSUSE 12.2,12.3,13.1,factory - not contained

libnettle factory  - does not have it
gnutls factory    - does not have it
mozilla-nss 3.15.2 - does not have it.

As Shawn wrote, the openssl FIPS additional patch to openssl developed in 2011
did have it, but it was not part of our openssl certification in 2012.

-> so we can consider us unaffected.
Comment 5 Marcus Meissner 2013-10-16 08:57:29 UTC
perl bin/addnote CVE-2007-6755 "We have not the flawed Dual_EC_DRBG random generator in any of our products, neither SUSE Linux Enterprise nor openSUSE."