Bug 845686 – VUL-0: CVE-2007-6755: Dual_EC_DRBG considered unsafe

Bug 845686 - (CVE-2007-6755) VUL-0: CVE-2007-6755: Dual_EC_DRBG considered unsafe

(CVE-2007-6755)
Summary:	VUL-0: CVE-2007-6755: Dual_EC_DRBG considered unsafe

Status:	RESOLVED INVALID

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2013-10-14 06:11 UTC by Marcus Meissner
Modified:	2013-10-16 08:57 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-10-14 06:11:36 UTC

CVE-2007-6755

The NIST SP 800-90A default statement of the Dual Elliptic Curve Deterministic Random Bit Generation (Dual_EC_DRBG) algorithm contains point Q constants with a possible relationship to cert
ain "skeleton key" values, which might allow context-dependent attackers to defeat cryptographic protection mechanisms by leveraging knowledge of those values.  NOTE: this is a preliminary 
CVE for Dual_EC_DRBG; future research may provide additional details about point Q and associated attacks, and could potentially lead to a RECAST or REJECT of this CVE.
    
    

Reference: MISC: https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html
Reference: MISC: http://threatpost.com/in-wake-of-latest-crypto-revelations-everything-is-suspect
Reference: MISC: http://stream.wsj.com/story/latest-headlines/SS-2-63399/SS-2-332655/
Reference: MISC: http://rump2007.cr.yp.to/15-shumow.pdf
Reference: MISC: http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html
Reference: MISC: http://blog.cryptographyengineering.com/2013/09/rsa-warns-developers-against-its-own.html
Reference: MISC: http://arstechnica.com/security/2013/09/stop-using-nsa-influence-code-in-our-product-rsa-tells-customers/

Comment 1 Marcus Meissner 2013-10-14 06:17:59 UTC

need to review our crypto modules, at least

- openssl
- gnutls (and/or dependend)
- mozilla nss

Comment 2 Shawn Chang 2013-10-14 06:52:41 UTC

according to this analysis article:
http://blog.cryptographyengineering.com/2013/09/the-many-flaws-of-dualecdrbg.html

This issue will be an issue only if we are using openssl-FIPS. We have FIPS-140-2 patch for SLES11. The 1st version of Dual_EC_DRBG implementation was pushed into upstream was in 2011:
https://github.com/openssl/openssl/commit/7fdcb45745c01b90b256fe97e87eae31453e11e6#diff-f32b6c02a4d65076516461287390f7a9

I think our openssl is safe for now. What do you think? Marcus.

Comment 3 Swamp Workflow Management 2013-10-14 22:00:10 UTC

bugbot adjusting priority

Comment 4 Marcus Meissner 2013-10-16 08:56:30 UTC

openssl - SLE11 SP1 , SP2, SP3 - Dual_EC_DRBG not contained in source
gnutls - SLE11 GA and later - Dual_EC_DRBG not contained in source


openSUSE 12.2,12.3,13.1,factory - not contained

libnettle factory  - does not have it
gnutls factory    - does not have it
mozilla-nss 3.15.2 - does not have it.


As Shawn wrote, the openssl FIPS additional patch to openssl developed in 2011
did have it, but it was not part of our openssl certification in 2012.


-> so we can consider us unaffected.

Comment 5 Marcus Meissner 2013-10-16 08:57:29 UTC

perl bin/addnote CVE-2007-6755 "We have not the flawed Dual_EC_DRBG random generator in any of our products, neither SUSE Linux Enterprise nor openSUSE."