Skip to content

Commit

Permalink
Add advisory and newsflash for CVE-2024-13176
Browse files Browse the repository at this point in the history
  • Loading branch information
@t8m
t8m committed Jan 20, 2025
1 parent 29da3c7 commit a597a77
Show file tree
Hide file tree
Showing 3 changed files with 262 additions and 0 deletions.
1 change: 1 addition & 0 deletions newsflash.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
| Date | Title |
| ----------- | ----- |
| 20-Jan-2025 | [Security Advisory](/news/secadv/20250120.txt): one low severity fix. |
| 22-Oct-2024 | Final version of OpenSSL 3.4.0 is now available: please download and upgrade! |
| 16-Oct-2024 | [Security Advisory](/news/secadv/20241016.txt): one low severity fix. |
| 07-Oct-2024 | Beta 1 of OpenSSL 3.4 is now available: please download and test it |
Expand Down
69 changes: 69 additions & 0 deletions secadv/20250120.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
OpenSSL Security Advisory [20th January 2025]
=============================================

Timing side-channel in ECDSA signature computation (CVE-2024-13176)
===================================================================

Severity: Low

Issue summary: A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring
the timing would require either local access to the signing application or
a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the attacker
process must either be located in the same physical computer or must
have a very fast network connection with low latency. For that reason
the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.4 users should upgrade to OpenSSL 3.4.1 once it is released.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.3 once it is released.

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.4 once it is released.

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.8 once it is released.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.16 once it is released.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1zb once it is released
(premium support customers only).

OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zl once it is released
(premium support customers only).

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next release of each
branch, once it becomes available. The fix is also available in commit
77c608f4 (for 3.4), commit 392dcb33 (for 3.3), commit 4b1cb94 (for 3.2),
commit 2af62e74 (for 3.1) and commit 07272b05 (for 3.0) in the OpenSSL git
repository.

It is available to premium support customers in commit a2639000 (for 1.1.1) and in
commit 0d5fd1ab (for 1.0.2).

This issue was reported on 4th September 2024 by George Pantelakis and
Alicja Kario (Red Hat).
The fix was developed by Tomas Mraz.

General Advisory Notes
======================

URL for this Security Advisory:
https://openssl-library.org/news/secadv/20250120.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://openssl-library.org/policies/general/security-policy/
192 changes: 192 additions & 0 deletions secjson/CVE-2024-13176.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "semver"
},
{
"lessThan": "3.3.3",
"status": "affected",
"version": "3.3.0",
"versionType": "semver"
},
{
"lessThan": "3.2.4",
"status": "affected",
"version": "3.2.0",
"versionType": "semver"
},
{
"lessThan": "3.1.8",
"status": "affected",
"version": "3.1.0",
"versionType": "semver"
},
{
"lessThan": "3.0.16",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"lessThan": "1.1.1zb",
"status": "affected",
"version": "1.1.1",
"versionType": "custom"
},
{
"lessThan": "1.0.2zl",
"status": "affected",
"version": "1.0.2",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "George Pantelakis (Red Hat)"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Alicja Kario (Red Hat)"
},
{
"lang": "en",
"type": "remediation developer",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tomáš Mráz"
}
],
"datePublic": "2025-01-20T14:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Issue summary: A timing side-channel which could potentially allow recovering<br>the private key exists in the ECDSA signature computation.<br><br>Impact summary: A timing side-channel in ECDSA signature computations<br>could allow recovering the private key by an attacker. However, measuring<br>the timing would require either local access to the signing application or<br>a very fast network connection with low latency.<br><br>There is a timing signal of around 300 nanoseconds when the top word of<br>the inverted ECDSA nonce value is zero. This can happen with significant<br>probability only for some of the supported elliptic curves. In particular<br>the NIST P-521 curve is affected. To be able to measure this leak, the attacker<br>process must either be located in the same physical computer or must<br>have a very fast network connection with low latency. For that reason<br>the severity of this vulnerability is Low."
}
],
"value": "Issue summary: A timing side-channel which could potentially allow recovering\nthe private key exists in the ECDSA signature computation.\n\nImpact summary: A timing side-channel in ECDSA signature computations\ncould allow recovering the private key by an attacker. However, measuring\nthe timing would require either local access to the signing application or\na very fast network connection with low latency.\n\nThere is a timing signal of around 300 nanoseconds when the top word of\nthe inverted ECDSA nonce value is zero. This can happen with significant\nprobability only for some of the supported elliptic curves. In particular\nthe NIST P-521 curve is affected. To be able to measure this leak, the attacker\nprocess must either be located in the same physical computer or must\nhave a very fast network connection with low latency. For that reason\nthe severity of this vulnerability is Low."
}
],
"metrics": [
{
"format": "other",
"other": {
"content": {
"text": "Low"
},
"type": "https://openssl-library.org/policies/general/security-policy/"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-385",
"description": "CWE-385 Covert Timing Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000",
"shortName": "openssl"
},
"references": [
{
"name": "OpenSSL Advisory",
"tags": [
"vendor-advisory"
],
"url": "https://openssl-library.org/news/secadv/20250120.txt"
},
{
"name": "3.3.4 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f"
},
{
"name": "3.3.3 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902"
},
{
"name": "3.2.4 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65"
},
{
"name": "3.1.8 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467"
},
{
"name": "3.0.16 git commit",
"tags": [
"patch"
],
"url": "https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844"
},
{
"name": "1.1.1zb git commit",
"tags": [
"patch"
],
"url": "https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86"
},
{
"name": "1.0.2zl git commit",
"tags": [
"patch"
],
"url": "https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Timing side-channel in ECDSA signature computation",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"cveId": "CVE-2024-13176",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}

0 comments on commit a597a77

Please sign in to comment.