GNU bug report logs - #31831
CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 31831 in the body.
You can then email your comments to 31831 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: bug-guix <at> gnu.org
Subject: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries
Date: Thu, 14 Jun 2018 15:22:11 -0400

[Message part 1 (text/plain, inline)]

Recently a new side-channel key extraction technique was published as
CVE-2018-0495, and it affects a lot of the cryptographic libraries we
package:

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/?style=Cyber+Security

An excerpt from that advisory:

------
We analyzed the source code of several open source cryptographic
libraries to see if they contain the vulnerable code pattern in the code
for ECDSA, DSA, or both. This list is accurate to the best of our
knowledge, but it is not exhaustive. Only the first group was affected
by this finding; the other three groups are not thought to be
vulnerable.

Contains vulnerable pattern: CryptLib (Both), LibreSSL (Both), Mozilla
NSS (Both), Botan (ECDSA), OpenSSL (ECDSA), WolfCrypt (ECDSA), Libgcrypt
(ECDSA), LibTomCrypt (ECDSA), LibSunEC (ECDSA), MatrixSSL (ECDSA),
BoringSSL (DSA)

Non-constant math, but different pattern: BouncyCastle, Crypto++, Golang
crypto/tls, C#/Mono, mbedTLS, Trezor Crypto, Nettle (DSA)

Constant time-math: Nettle (ECDSA), BearSSL, Libsecp256k1

Does not implement either: NaCl
------

Note that libtomcrypt is bundled in the Dropbear SSH implementation.

I'm going to test the libgcrypt update now.

I'd like for other Guix hackers to "claim" an affected package in this
thread, and then investigate and test the fixes. Please make new debbugs
tickets on guix-patches for each bug-fix patch you propose, and send the
links to those tickets here.

[signature.asc (application/pgp-signature, inline)]

Message #8 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 31831 <at> debbugs.gnu.org
Subject: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries
Date: Thu, 14 Jun 2018 15:50:49 -0400

[Message part 1 (text/plain, inline)]

I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!

I'll try OpenSSL next.

[signature.asc (application/pgp-signature, inline)]

Message #11 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Gábor Boskovits <boskovits <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 31831 <at> debbugs.gnu.org
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
Date: Thu, 14 Jun 2018 21:53:30 +0200

[Message part 1 (text/plain, inline)]

2018-06-14 21:50 GMT+02:00 Leo Famulari <leo <at> famulari.name>:

> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!
>
> I'll try OpenSSL next.
>

I'll try libressl.

[Message part 2 (text/html, inline)]

Message #14 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Gábor Boskovits <boskovits <at> gmail.com>
Cc: 31831 <at> debbugs.gnu.org
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
Date: Thu, 14 Jun 2018 16:06:08 -0400

[Message part 1 (text/plain, inline)]

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo <at> famulari.name>:
> > I'll try OpenSSL next.

They committed a fix but haven't released an update yet:

https://github.com/openssl/openssl/commit/a3e9d5aa980f238805970f420adf5e903d35bf09

There is also an unrelated security advisory for a DoS bug from 2 days
ago:

https://www.openssl.org/news/secadv/20180612.txt

I'll try grafting these patches.

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Gábor Boskovits <boskovits <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 31831 <at> debbugs.gnu.org
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
Date: Thu, 14 Jun 2018 22:44:08 +0200

[Message part 1 (text/plain, inline)]

2018-06-14 21:53 GMT+02:00 Gábor Boskovits <boskovits <at> gmail.com>:

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo <at> famulari.name>:
>
>> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!
>>
>> I'll try OpenSSL next.
>>
>
> I'll try libressl.
>
Here it is: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31832
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31832>

[Message part 2 (text/html, inline)]

Message #20 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 31831 <at> debbugs.gnu.org
Subject: Re: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto
 Libraries
Date: Thu, 14 Jun 2018 16:45:41 -0400

[Message part 1 (text/plain, inline)]

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:
> I'll try OpenSSL next.

I sent patches for both branches of OpenSSL:

version 1.0.2:

<https://bugs.gnu.org/31834>

version 1.1.0:

<https://bugs.gnu.org/31833>

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 31831 <at> debbugs.gnu.org
Subject: Re: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto
 Libraries
Date: Mon, 18 Jun 2018 12:35:56 -0400

[Message part 1 (text/plain, inline)]

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:
> I'll try OpenSSL next.

Patched pushed for both OpenSSL branches, closing bugs 31833 and 31834.

[signature.asc (application/pgp-signature, inline)]

Message #28 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: 31831 <at> debbugs.gnu.org
Subject: Re: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto
 Libraries
Date: Mon, 16 Jul 2018 02:20:34 -0400

[Message part 1 (text/plain, inline)]

Fixed in Botan in Guix commit cfe255684cc4deb164d0eaaa2e1ed9804b5ff651.

[signature.asc (application/pgp-signature, inline)]

Message #31 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Gábor Boskovits <boskovits <at> gmail.com>
To: Leo Famulari <leo <at> famulari.name>
Cc: 31831 <at> debbugs.gnu.org
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
Date: Mon, 16 Jul 2018 08:53:56 +0200

[Message part 1 (text/plain, inline)]

Leo Famulari <leo <at> famulari.name> ezt írta (időpont: 2018. júl. 16., H 8:22):

> Fixed in Botan in Guix commit cfe255684cc4deb164d0eaaa2e1ed9804b5ff651.
>
Are there any more packages needing attention?

[Message part 2 (text/html, inline)]

Message #34 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Gábor Boskovits <boskovits <at> gmail.com>
Cc: 31831 <at> debbugs.gnu.org
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
Date: Mon, 16 Jul 2018 13:14:30 -0400

[Message part 1 (text/plain, inline)]

On Mon, Jul 16, 2018 at 08:53:56AM +0200, Gábor Boskovits wrote:
> Are there any more packages needing attention?

libtomcrypt version 1.18.2 includes a fix; we would need to adapt this
to the bundled copy in Dropbear. I can take a look at this today.

NSS was fixed in Guix commit 7c3bea7e6299e1026c7964c83986a6b6c220879a by
Marius. Thanks, Marius!

The advisory mentions similar but not indentical issues in these
packages:

There is a new release of Crypto++ available. I'm not sure if this
addresses whatever issue was mentioned in the original advisory.

mbedTLS's changelog doesn't mention anything related to key extraction
side channels.

I don't see any related commits in Go's crypto/tls Git repo.

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 31831 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: Gábor Boskovits <boskovits <at> gmail.com>
Cc: 31831 <at> debbugs.gnu.org
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
Date: Mon, 16 Jul 2018 13:39:29 -0400

[Message part 1 (text/plain, inline)]

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> libtomcrypt version 1.18.2 includes a fix; we would need to adapt this
> to the bundled copy in Dropbear. I can take a look at this today.

Dropbear's bundled libtomcrypt includes a variety of whitespace and
comment changes that make it non-trivial to compare the actual
differences between the codebases.

I'm not going to work on adapting the upstream patch for Dropbear, but
of course others are welcome to do it :) Otherwise I assume the Dropbear
team will include the fixes whenever they make a new release.

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 31831-done <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
Cc: 31831-done <at> debbugs.gnu.org
Subject: Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple
 Crypto Libraries
Date: Mon, 25 Feb 2019 21:01:08 -0500

[Message part 1 (text/plain, inline)]

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> There is a new release of Crypto++ available. I'm not sure if this
> addresses whatever issue was mentioned in the original advisory.

Crypto++ was updated to 8.0.0 in January 2019.

https://www.cryptopp.com/release800.html

> mbedTLS's changelog doesn't mention anything related to key extraction
> side channels.

mbedTLS has been updated several times since this bug was opened, and is
currently at 2.16.0.

https://github.com/ARMmbed/mbedtls/blob/fb1972db23da39bd11d4f9c9ea6266eee665605b/ChangeLog

Neither of those upstreams have mentioned CVE-2018-0495, as far as I can
tell. The original advisory said they do not use the vulnerable pattern,
but do use "non-constant math, but different pattern".

Overall, I don't think there is anything left for us to do as a distro
in response to CVE-2018-0495, so I am closing this bug.

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.