ASA-2018-00015 – OpenSSL: Timing vulnerability in ECDSA signature generation

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00015

Identifier(s)

ASA-2018-00015, CVE-2018-0735

Title

Timing vulnerability in ECDSA signature generation

Vendor(s)

The OpenSSL Project

Product(s)

OpenSSL

Affected version(s)

OpenSSL 1.1.1

OpenSSL 1.1.0 – 1.1.0i

Fixed version(s)

OpenSSL 1.1.1a

OpenSSL 1.1.0j

Proof of concept

Unknown

Description

The OpenSSL ECDSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key.

Technical details

Unknown

Credits

Samuel Weiser

Reference(s)

Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
https://www.openssl.org/news/secadv/20181029.txt

Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
https://github.com/openssl/openssl/commit/b1d6d55ece1c26fa2829e2b819b038d7b6d692b4

Timing vulnerability in ECDSA signature generation (CVE-2018-0735)
https://github.com/openssl/openssl/commit/56fb454d281a023b3f950d969693553d3f3ceea1

Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
https://www.openssl.org/news/cl110.txt

Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
https://www.openssl.org/news/cl111.txt

CVE-2018-0735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0735

CVE-2018-0735
https://nvd.nist.gov/vuln/detail/CVE-2018-0735

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.