Bugzilla – Bug 1097410
VUL-0: CVE-2018-0495: Novel side-channel attack "ROHNP"- Key Extraction Side Channel in Multiple Crypto Libraries
Last modified: 2022-04-26 14:17:22 UTC
CVE-2018-0495 From release notes of libgcrypt 1.8.3: - Use blinding for ECDSA signing to mitigate a novel side-channel attack. No real details public yet. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-0495
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965
Backporting this for SLE11 is not possible without the risk of introducing new bugs / side-channels in this critical code. Therefore this won't be fixed for SLE11.
SUSE-SU-2018:1993-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1097410 CVE References: CVE-2018-0495 Sources used: SUSE Linux Enterprise Module for Basesystem 15 (src): libgcrypt-1.8.2-6.3.1
openSUSE-SU-2018:2122-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1097410 CVE References: CVE-2018-0495 Sources used: openSUSE Leap 15.0 (src): libgcrypt-1.8.2-lp150.5.3.1
openSUSE-SU-2018:2178-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1064455,1090766,1097410 CVE References: CVE-2018-0495 Sources used: openSUSE Leap 42.3 (src): libgcrypt-1.6.1-45.1
SUSE-SU-2018:2452-1: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1064455,1090766,1097410 CVE References: CVE-2018-0495 Sources used: SUSE CaaS Platform 3.0 (src): libgcrypt-1.6.1-16.61.1
SUSE-SU-2018:2452-2: An update that solves one vulnerability and has two fixes is now available. Category: security (moderate) Bug References: 1064455,1090766,1097410 CVE References: CVE-2018-0495 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): libgcrypt-1.6.1-16.62.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): libgcrypt-1.6.1-16.62.1 SUSE Linux Enterprise Server 12-SP4 (src): libgcrypt-1.6.1-16.62.1 SUSE Linux Enterprise Server 12-SP3 (src): libgcrypt-1.6.1-16.62.1 SUSE Linux Enterprise Desktop 12-SP4 (src): libgcrypt-1.6.1-16.62.1 SUSE Linux Enterprise Desktop 12-SP3 (src): libgcrypt-1.6.1-16.62.1 SUSE CaaS Platform ALL (src): libgcrypt-1.6.1-16.62.1 OpenStack Cloud Magnum Orchestration 7 (src): libgcrypt-1.6.1-16.62.1
CVE-2018-0495 https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/ Technical Advisory: "ROHNP"- Key Extraction Side Channel in Multiple Crypto Libraries Vendors affected: Multiple Versions affected: Multiple Author: Keegan Ryan <keegan.ryan[at]nccgroup[dot]trust> <@inf_0_> Advisory URL / CVE Identifier: CVE-2018-0495 Risk: Medium (Key disclosure is possible, but only through certain side channels) Summary We have discovered an implementation flaw in multiple cryptographic libraries that allows a side-channel based attacker to recover ECDSA or DSA private keys. When these cryptographic libraries use the private key to create a signature, such as for a TLS or SSH connection, they inadvertently leak information through memory caches. An unprivileged attacker running on the same machine can collect the information from a few thousand signatures and recover the value of the private key. We have demonstrated this attack against the latest version of OpenSSL and can recover a 256 bit ECDSA key in around a minute by using a simple memory cache side-channel attack. Location The flaw is located in the code that computes signature component s: s = k-1(m + r * x) (mod q) In many libraries, the code that performs modular addition does not run in constant time, and so a side channel can recover information that can be used to calculate the private key. We analyzed the source code of several open source cryptographic libraries to see if they contain the vulnerable code pattern in the code for ECDSA, DSA, or both. This list is accurate to the best of our knowledge, but it is not exhaustive. Only the first group was affected by this finding; the other three groups are not thought to be vulnerable. Contains vulnerable pattern: CryptLib (Both), LibreSSL (Both), Mozilla NSS (Both), OpenSSL (Both), Botan (ECDSA), WolfCrypt (ECDSA), Libgcrypt (ECDSA), LibTomCrypt (ECDSA), LibSunEC (ECDSA), MatrixSSL (ECDSA), BoringSSL (DSA) Non-constant math, but different pattern: BouncyCastle, Crypto++, Golang crypto/tls, C#/Mono, mbedTLS, Nettle (DSA) Constant time-math: Nettle (ECDSA), BearSSL, Libsecp256k1, Trezor Crypto Does not implement either: NaCl Impact Impact varies depending on how the application is used. The attacker and victim need to be running code on the same machine in order to achieve the side channel (network timing data on it's own is not enough for a practical attack). The most common scenario is when the attacker and victim are both running in a cloud computing environment and their virtual machines are assigned to share the same physical host. In this hypothetical, an attacker could use a cross-VM side-channel attack to, for example, steal SSH server keys or TLS private keys. These attacks are still going to be very difficult for an attacker. To see why, consider what an attacker would have to do to compromise a site using a vulnerable library and an ECDSA public key. The attacker must first identify the cloud provider where the site is hosted, then the attacker must create virtual machines with that provider until one of the virtual machines shares the same physical processor as the victim site. Next, the attacker initiates TLS connections to trigger the ECDSA signing process and uses the cross-VM side channel to monitor for leaked information and then uses this information to recover the site's private key. Now, the attacker must be in a position to intercept the traffic between the site and a user, modifying the content of the TLS packets and using the stolen private key to forge a signature. This chain of events requires highly specialized knowledge, and even on their own, none of the the attack steps are easy. We have considered common cases, but ECDSA and DSA are used in countless very different ways. The most dangerous aspect of the bug, in my opinion, is that the flawed implementation pattern is widespread and the key information can leak through simple side channels. The issue likely exists in implementations we did not consider where side-channel attacks are more practical, so the impact to those systems might be greater. Details An easy to understand introduction to how the attack works can be found here. The paper with the more technical details is located here. Proof of Concept We currently have a generic PoC that demonstrates the cryptanalysis step of the attack and a full PoC that performs the attack against the latest OpenSSL. Although we do not anticipate mass exploitation, we are waiting two weeks before publishing these PoCs to make immediate exploitation more difficult. Update (6/27/2018): Proof of concept code is available here. Recommendation A large number of affected vendors are publishing patches today. For use cases where side channel attacks are not a primary concern, just apply the patches as they are released. For maintainers of ECDSA and DSA signing code, check to see if your code follows the vulnerable pattern and implement the mitigations. More detailed information can be found in the paper. In some situations, patching may be difficult and side channel attacks are a concern. This may apply, for example, to embedded devices that store private signing keys in a trusted execution environment. It is difficult to give a specific recommendation here, as it varies from situation to situation. In general, we recommend building any cryptographic system with consideration of side-channel attacks, implementing defense-in-depth mitigations to make these attacks more difficult, and understanding how to handle a compromised key. Disclosure Details NCC Group began disclosing this issue on May 23, 2018 and finished reaching out to the affected parties on June 2, 2018. No contact information could be found on LibTomCrypt's website or in the repository, but we successfully made contact with all other parties. Patching went very quickly for many libraries, as the blinding mitigation only requires a small change to existing code. This is an atypical disclosure scenario due to the wide variety of affected products. Public release has to be synchronized, since one library patching significantly earlier than the others could give away the details of the cryptanalytic attack, leaving the unpatched libraries at risk. With these considerations in mind, we decided on a release date of today, June 13, 2018. This would get patches out to the most people as soon as possible. Of the affected libraries, LibreSSL, NSS, OpenSSL, WolfCrypt, Botan, Libgcrypt, MatrixSSL, and BoringSSL have indicated to me that they either have a patch ready or have a plan to patch. Side-channel attacks are explicitly excluded from Cryptlib's threat model. MatrixSSL: A patch is available from the vendor by contacting support@matrixssl.org Libgcrypt: Announcement is here WolfSSL: A fix is publicly available in the form of a patch (wolfssl-3.15.1.patch) Edited (6/14/2018): An earlier version of this post miscategorized OpenSSL. DSA signing is also impacted. Edited (6/22/2018): The Trezor Crypto library uses constant time operations, so it has been moved to the correct category. Edited (6/27/2018): Proof of concept code has been uploaded. Published date: 13 June 2018
CVE applies to the advisory and not just 1 single package.
SUSE-SU-2018:4235-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1097410,1106873,1119069,1119105 CVE References: CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): MozillaFirefox-60.4.0-3.21.1 SUSE Linux Enterprise Module for Desktop Applications 15 (src): MozillaFirefox-60.4.0-3.21.1 SUSE Linux Enterprise Module for Basesystem 15 (src): mozilla-nspr-4.20-3.3.2, mozilla-nss-3.40.1-3.7.2
SUSE-SU-2018:4236-1: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1097410,1106873,1119069,1119105 CVE References: CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Sources used: SUSE OpenStack Cloud 7 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Software Development Kit 12-SP4 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server for SAP 12-SP2 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP4 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP3 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP2-LTSS (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Server 12-LTSS (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Desktop 12-SP4 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Linux Enterprise Desktop 12-SP3 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE Enterprise Storage 4 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE CaaS Platform ALL (src): mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 SUSE CaaS Platform 3.0 (src): mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1
openSUSE-SU-2018:4283-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 1097410,1119105 CVE References: CVE-2018-0495 Sources used: openSUSE Leap 15.0 (src): mozilla-nspr-4.20-lp150.2.3.1, mozilla-nss-3.40.1-lp150.2.10.2
SUSE-SU-2018:4236-2: An update that fixes 9 vulnerabilities is now available. Category: security (important) Bug References: 1097410,1106873,1119069,1119105 CVE References: CVE-2018-0495,CVE-2018-12384,CVE-2018-12404,CVE-2018-12405,CVE-2018-17466,CVE-2018-18492,CVE-2018-18493,CVE-2018-18494,CVE-2018-18498 Sources used: SUSE Linux Enterprise Server for SAP 12-SP1 (src): MozillaFirefox-60.4.0esr-109.55.1, mozilla-nspr-4.20-19.6.1, mozilla-nss-3.40.1-58.18.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
Done.