CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

Done

Details

3 participants

Gábor Boskovits
Leo Famulari
Ludovic Courtès

Owner: unassigned

Submitted by: Leo Famulari

Severity: normal

Leo Famulari wrote on 14 Jun 2018 21:22

Recipients:(address . bug-guix@gnu.org)

Message-ID:20180614192211.GA21522@jasmine.lan

Recently a new side-channel key extraction technique was published as

CVE-2018-0495, and it affects a lot of the cryptographic libraries we

package:

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/?style=Cyber+Security

An excerpt from that advisory:

------

We analyzed the source code of several open source cryptographic

libraries to see if they contain the vulnerable code pattern in the code

for ECDSA, DSA, or both. This list is accurate to the best of our

knowledge, but it is not exhaustive. Only the first group was affected

by this finding; the other three groups are not thought to be

vulnerable.

Contains vulnerable pattern: CryptLib (Both), LibreSSL (Both), Mozilla

NSS (Both), Botan (ECDSA), OpenSSL (ECDSA), WolfCrypt (ECDSA), Libgcrypt

(ECDSA), LibTomCrypt (ECDSA), LibSunEC (ECDSA), MatrixSSL (ECDSA),

BoringSSL (DSA)

Non-constant math, but different pattern: BouncyCastle, Crypto++, Golang

crypto/tls, C#/Mono, mbedTLS, Trezor Crypto, Nettle (DSA)

Constant time-math: Nettle (ECDSA), BearSSL, Libsecp256k1

Does not implement either: NaCl

------

Note that libtomcrypt is bundled in the Dropbear SSH implementation.

I'm going to test the libgcrypt update now.

I'd like for other Guix hackers to "claim" an affected package in this

thread, and then investigate and test the fixes. Please make new debbugs

tickets on guix-patches for each bug-fix patch you propose, and send the

links to those tickets here.

Leo Famulari wrote on 14 Jun 2018 21:50

Recipients:(address . 31831@debbugs.gnu.org)

Message-ID:20180614195049.GB4039@jasmine.lan

I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!

I'll try OpenSSL next.

Gábor Boskovits wrote on 14 Jun 2018 21:53

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 31831@debbugs.gnu.org)

Message-ID:CAE4v=pjPFsmHKG8S72fqk2DJ9iw1GVNa+0eVUwOmVqxiUWi3bg@mail.gmail.com

2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:

Toggle quote (5 lines)

> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!

> I'll try OpenSSL next.

I'll try libressl.

Attachment: file

Leo Famulari wrote on 14 Jun 2018 22:06

Recipients:(name . Gábor Boskovits)(address . boskovits@gmail.com)(address . 31831@debbugs.gnu.org)

Message-ID:20180614200608.GA8617@jasmine.lan

Toggle quote (3 lines)

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:

> > I'll try OpenSSL next.

They committed a fix but haven't released an update yet:

https://github.com/openssl/openssl/commit/a3e9d5aa980f238805970f420adf5e903d35bf09

There is also an unrelated security advisory for a DoS bug from 2 days

ago:

https://www.openssl.org/news/secadv/20180612.txt

I'll try grafting these patches.

Gábor Boskovits wrote on 14 Jun 2018 22:44

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 31831@debbugs.gnu.org)

Message-ID:CAE4v=pi8R0YTgc_UMJsC=+0A=NMWdr1cNTZUp0BuD6R_MPNf8g@mail.gmail.com

2018-06-14 21:53 GMT+02:00 Gábor Boskovits <boskovits@gmail.com>:

Toggle quote (9 lines)> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:
>
>> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!
>>
>> I'll try OpenSSL next.
>>
>
> I'll try libressl.
>

Here it is: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31832

https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31832

Attachment: file

Leo Famulari wrote on 14 Jun 2018 22:45

Re: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

Recipients:(address . 31831@debbugs.gnu.org)

Message-ID:20180614204541.GA26976@jasmine.lan

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:

Toggle quote (2 lines)

> I'll try OpenSSL next.

I sent patches for both branches of OpenSSL:

version 1.0.2:

https://bugs.gnu.org/31834

version 1.1.0:

https://bugs.gnu.org/31833

Leo Famulari wrote on 18 Jun 2018 18:35

Recipients:(address . 31831@debbugs.gnu.org)

Message-ID:20180618163556.GA10371@jasmine.lan

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:

Toggle quote (2 lines)

> I'll try OpenSSL next.

Patched pushed for both OpenSSL branches, closing bugs 31833 and 31834.

Ludovic Courtès wrote on 27 Jun 2018 22:51

control message for bug #31831

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87sh58vtqd.fsf@gnu.org

tags 31831 security

Leo Famulari wrote on 16 Jul 2018 08:20

Re: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

Recipients:(address . 31831@debbugs.gnu.org)

Message-ID:20180716062034.GA3973@jasmine.lan

Fixed in Botan in Guix commit cfe255684cc4deb164d0eaaa2e1ed9804b5ff651.

Gábor Boskovits wrote on 16 Jul 2018 08:53

Re: bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 31831@debbugs.gnu.org)

Message-ID:CAE4v=pi3GY239AEQYS4MmYgjBo-kHoA3+gx5TN009fcR_gmneQ@mail.gmail.com

Leo Famulari <leo@famulari.name> ezt írta (id?pont: 2018. júl. 16., H 8:22):

Toggle quote (2 lines)

> Fixed in Botan in Guix commit cfe255684cc4deb164d0eaaa2e1ed9804b5ff651.

Are there any more packages needing attention?

Attachment: file

Leo Famulari wrote on 16 Jul 2018 19:14

Recipients:(name . Gábor Boskovits)(address . boskovits@gmail.com)(address . 31831@debbugs.gnu.org)

Message-ID:20180716171430.GA20978@jasmine.lan

On Mon, Jul 16, 2018 at 08:53:56AM +0200, Gábor Boskovits wrote:

Toggle quote (2 lines)

> Are there any more packages needing attention?

libtomcrypt version 1.18.2 includes a fix; we would need to adapt this

to the bundled copy in Dropbear. I can take a look at this today.

NSS was fixed in Guix commit 7c3bea7e6299e1026c7964c83986a6b6c220879a by

Marius. Thanks, Marius!

The advisory mentions similar but not indentical issues in these

packages:

There is a new release of Crypto++ available. I'm not sure if this

addresses whatever issue was mentioned in the original advisory.

mbedTLS's changelog doesn't mention anything related to key extraction

side channels.

I don't see any related commits in Go's crypto/tls Git repo.

Leo Famulari wrote on 16 Jul 2018 19:39

Recipients:(name . Gábor Boskovits)(address . boskovits@gmail.com)(address . 31831@debbugs.gnu.org)

Message-ID:20180716173929.GA24955@jasmine.lan

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:

Toggle quote (3 lines)

> libtomcrypt version 1.18.2 includes a fix; we would need to adapt this

> to the bundled copy in Dropbear. I can take a look at this today.

Dropbear's bundled libtomcrypt includes a variety of whitespace and
comment changes that make it non-trivial to compare the actual
differences between the codebases.

I'm not going to work on adapting the upstream patch for Dropbear, but
of course others are welcome to do it :) Otherwise I assume the Dropbear
team will include the fixes whenever they make a new release.

Leo Famulari wrote on 26 Feb 2019 03:01

Recipients:(address . 31831-done@debbugs.gnu.org)

Message-ID:20190226020108.GA25161@jasmine.lan

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:

Toggle quote (3 lines)

> There is a new release of Crypto++ available. I'm not sure if this

> addresses whatever issue was mentioned in the original advisory.

Crypto++ was updated to 8.0.0 in January 2019.

https://www.cryptopp.com/release800.html

Toggle quote (3 lines)

> mbedTLS's changelog doesn't mention anything related to key extraction

> side channels.

mbedTLS has been updated several times since this bug was opened, and is

currently at 2.16.0.

https://github.com/ARMmbed/mbedtls/blob/fb1972db23da39bd11d4f9c9ea6266eee665605b/ChangeLog

Neither of those upstreams have mentioned CVE-2018-0495, as far as I can

tell. The original advisory said they do not use the vulnerable pattern,

but do use "non-constant math, but different pattern".

Overall, I don't think there is anything left for us to do as a distro

in response to CVE-2018-0495, so I am closing this bug.

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 31831@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date