Bugzilla – Bug 963413
VUL-0: CVE-2016-0701: openssl: DH small subgroups
Last modified: 2016-02-09 19:29:01 UTC
Created attachment 663060 [details] cve-2016-0701.patch EMBARGOED via distros and private request. CRD: 2016-01-28 Public part (pre-notification) is in bug 963410. DH small subgroups (CVE-2016-0701) ================================== Severity: High Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same private DH exponent. For example this could be used to discover a TLS server's private DH exponent if it's reusing the private DH exponent or it's using a static DH ciphersuite. OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in TLS. It is not on by default. If the option is not set then the server reuses the same private DH exponent for the life of the server process and would be vulnerable to this attack. It is believed that many popular applications do set this option and would therefore not be at risk. OpenSSL before 1.0.2f will reuse the key if: - SSL_CTX_set_tmp_dh()/SSL_set_tmp_dh() is used and SSL_OP_SINGLE_DH_USE is not set. - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used, and both the parameters and the key are set and SSL_OP_SINGLE_DH_USE is not used. This is an undocumted feature and parameter files don't contain the key. - Static DH ciphersuites are used. The key is part of the certificate and so it will always reuse it. This is only supported in 1.0.2. It will not reused the key for DHE ciphers suites if: - SSL_OP_SINGLE_DH_USE is set - SSL_CTX_set_tmp_dh_callback()/SSL_set_tmp_dh_callback() is used and the callback does not provide the key, only the parameters. The callback is almost always used like this. Non-safe primes are generated by OpenSSL when using: - genpkey with the dh_rfc5114 option. This will write a X9.42 style file including the prime-order subgroup size "q". This is supported since the 1.0.2 version. Older versions can't read the file generated by this. - dhparam with the -dsaparam option. This has always been documented as requiring the single use. The fix for this issue adds an additional check where a "q" parameter is available (as is the case in X9.42 based parameters). This detects the only known attack, and is the only possible defense for static DH ciphersuites. This could have some performance impact. Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by default and cannot be disabled. This could have some performance impact. This issue affects OpenSSL versions 1.0.2. OpenSSL 1.0.2 users should upgrade to 1.0.2f This issue was reported to OpenSSL on 12 January 2016 by Antonio Sanso. The fix was developed by Matt Caswell of the OpenSSL development team (incorporating some work originally written by Stephen Henson of the OpenSSL core team). SLE not affected. Affects openSUSE Tumbleweed only.
bugbot adjusting priority
Fis is in openssl git commit e729aac19de7b41169be82e6e55c4c898de9470a Author: Matt Caswell <matt@openssl.org> Date: Wed Jan 20 11:56:28 2016 +0000 Add a test for small subgroup attacks on DH/DHE Following on from the previous commit, add a test to ensure that DH_compute_key correctly fails if passed a bad y such that: y^q (mod p) != 1 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> commit b128abc3437600c3143cb2145185ab87ba3156a2 Author: Matt Caswell <matt@openssl.org> Date: Mon Jan 18 11:31:58 2016 +0000 Prevent small subgroup attacks on DH/DHE Historically OpenSSL only ever generated DH parameters based on "safe" primes. More recently (in version 1.0.2) support was provided for generating X9.42 style parameter files such as those required for RFC 5114 support. The primes used in such files may not be "safe". Where an application is using DH configured with parameters based on primes that are not "safe" then an attacker could use this fact to find a peer's private DH exponent. This attack requires that the attacker complete multiple handshakes in which the peer uses the same DH exponent. A simple mitigation is to ensure that y^q (mod p) == 1 CVE-2016-0701 Issue reported by Antonio Sanso. Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Advisory public at https://openssl.org/news/secadv/20160128.txt
(In reply to Marcus Meissner from comment #2) > A simple mitigation is to ensure that y^q (mod p) == 1 We do implement this check in openssl-1.0.2a-new-fips-reqs.patch: + if (BN_mod_exp_mont(q, pub_key, dh->q, dh->p, ctx, NULL) <= 0) { + BN_CTX_free(ctx); + goto err; + } + if (!BN_is_one(q)) { + BN_CTX_free(ctx); + goto err; + } No distribution is affected by CVE-2016-0701.
Closing as not affecting us.
This is an autogenerated message for OBS integration: This bug (963413) was mentioned in https://build.opensuse.org/request/show/356565 Factory / openssl
This is an autogenerated message for OBS integration: This bug (963413) was mentioned in https://build.opensuse.org/request/show/358362 Factory / openssl