CVE-2016-7056 — Covert Timing Channel in Openssl
Severity
5.5MEDIUMNVD
OSV9.8
EPSS
0.3%
top 43.73%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedSep 10
Latest updateDec 29
Description
A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6
Affected Packages7 packages
Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 12.04, 14.04, Enterprise Linux 6.0, 7.0
Patches
🔴Vulnerability Details
3📋Vendor Advisories
5Android▶
CVE-2016-7056: Android Security Bulletin 2017-05-01
CVE: CVE-2016-7056
Severity: MEDIUM
Affected AOSP versions: 4↗2017-05-01
Apple▶
CVE-2016-7056: macOS Sierra 10.12.4, Security Update 2017-001 El Capitan, and Security Update 2017-001 Yosemite↗2017-03-27
Debian▶
CVE-2016-7056: openssl - A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a m...↗2016
📄Research Papers
1arXiv▶
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware↗2022-12-29