ASA-2018-00016 – OpenSSL: Timing vulnerability in DSA signature generation

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00016

Identifier(s)

ASA-2018-00016, CVE-2018-0734

Title

Timing vulnerability in DSA signature generation

Vendor(s)

The OpenSSL Project

Product(s)

OpenSSL

Affected version(s)

OpenSSL 1.1.1

OpenSSL 1.1.0 – 1.1.0i

OpenSSL 1.0.2 – 1.0.2p

Fixed version(s)

OpenSSL 1.1.1a

OpenSSL 1.1.0j

OpenSSL 1.0.2q

Proof of concept

Unknown

Description

The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key.

Technical details

Unknown

Credits

Samuel Weiser

Reference(s)

Timing vulnerability in DSA signature generation (CVE-2018-0734) https://www.openssl.org/news/secadv/20181030.txt

Timing vulnerability in DSA signature generation (CVE-2018-0734) https://github.com/openssl/openssl/commit/8abfe72e8c1de1b95f50aa0d9134803b4d00070f

Timing vulnerability in DSA signature generation (CVE-2018-0734)  https://github.com/openssl/openssl/commit/ef11e19d1365eea2b1851e6f540a0bf365d303e7

Merge DSA reallocation timing fix CVE-2018-0734
https://github.com/openssl/openssl/commit/43e6a58d4991a451daf4891ff05a48735df871ac

Changes between 1.0.2p and 1.0.2q [20 Nov 2018]
https://www.openssl.org/news/cl102.txt

Changes between 1.1.1 and 1.1.1a [20 Nov 2018]
https://www.openssl.org/news/cl111.txt

Changes between 1.1.0i and 1.1.0j [20 Nov 2018]
https://www.openssl.org/news/cl110.txt

CVE-2018-0734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734

CVE-2018-0734
https://nvd.nist.gov/vuln/detail/CVE-2018-0734

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 3, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.