Allele Security Alert
CPU DoS vulnerability affecting P-521 and P-384 elliptic curves
The Go Authors
Go 1.11.x before 1.11.5
Go 1.10.x before 1.10.8
Proof of concept
A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
If ECDH is used in an Ephemeral-Static protocol, the attacker can use multiple tries to recover the static private key. crypto/tls does not reuse ECDH private keys, so is unaffected, but certain JWT encryption modes are based on ECDH-ES, so would be affected if the private key is a P-384 or P-521 key.
Julie Qiu and Filippo Valsorda
[security] Go 1.11.5 and Go 1.10.8 are released
crypto/elliptic: CPU DoS vulnerability affecting P-521 and P-384 #29903
[release-branch.go1.11-security] crypto/elliptic: reduce subtraction term to prevent long busy loop
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 11, 2019