CVE-2018-0737
published 2018-04-16CVE-2018-0737: The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount…
PriorityP339medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EPSS
12.05%
95.6th percentile
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | openssl | < openssl 1.1.0h-3 (bookworm) | openssl 1.1.0h-3 (bookworm) |
| openssl | openssl | — | — |
| openssl | openssl | — | — |
| openssl | openssl | >= 0 < 1.1.0h-3 | 1.1.0h-3 |
| openssl | openssl | >= 0 < 1.1.0h-3 | 1.1.0h-3 |
| openssl | openssl | >= 0 < 1.1.0h-3 | 1.1.0h-3 |
| openssl | openssl | >= 0 < 1.1.0h-3 | 1.1.0h-3 |
| openssl | openssl | >= 0 < 1.0.1f-1ubuntu2.26 | 1.0.1f-1ubuntu2.26 |
| openssl | openssl | >= 0 < 1.0.2g-1ubuntu4.13 | 1.0.2g-1ubuntu4.13 |
| openssl | openssl | >= 0 < 1.1.0g-2ubuntu4.1 | 1.1.0g-2ubuntu4.1 |
| openssl | openssl | 1.0.2b – 1.0.2o | — |
| openssl | openssl | 1.1.0 – 1.1.0h | — |
| paloalto | pan-os | — | — |
CVSS provenance
nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv5.9MEDIUM
vendor_debian5.9LOW
vendor_redhat5.9MEDIUM
vendor_ubuntu4.7MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rj52-j648-hww8: The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack
ghsa_unreviewed·2022-05-13
CVE-2018-0737 [MEDIUM] CWE-327 GHSA-rj52-j648-hww8: The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
OSV
openssl, openssl1.0 vulnerabilities
osv·2018-06-26·CVSS 4.7
CVE-2018-0495 [MEDIUM] openssl, openssl1.0 vulnerabilities
openssl, openssl1.0 vulnerabilities
Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key
generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private ECDSA keys. (CVE-2018-0495)
Guido Vranken discovered that OpenSSL incorrectly handled very large prime
values during a key agreement. A remote attacker could possibly use this
issue to consume resources, leading to a denial of service. (CVE-2018-0732)
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA key
generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private RSA keys. (CVE-2018-0737)
OSV
CVE-2018-0737: The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack
osv·2018-04-16·CVSS 5.9
CVE-2018-0737 [MEDIUM] CVE-2018-0737: The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
Palo Alto
PAN-SA-2018-0015 OpenSSL Vulnerabilities in PAN-OS
vendor_paloalto·2018-10-12·CVSS 7.5
CVE-2018-0732 [HIGH] CWE-320 PAN-SA-2018-0015 OpenSSL Vulnerabilities in PAN-OS
PAN-SA-2018-0015 OpenSSL Vulnerabilities in PAN-OS
The OpenSSL library has been found to contain vulnerabilities CVE-2018-0732, CVE-2018-0737, and CVE-2018-0739. Palo Alto Networks software makes use of the vulnerable library and is
CVEs: CVE-2018-0732, CVE-2018-0737, CVE-2018-0739
Affected products: PAN-OS
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2018-06-26·CVSS 4.7
CVE-2018-0495 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key
generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private ECDSA keys. (CVE-2018-0495)
Guido Vranken discovered that OpenSSL incorrectly handled very large prime
values during a key agreement. A remote attacker could possibly use this
issue to consume resources, leading to a denial of service. (CVE-2018-0732)
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA key
generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private RSA keys. (CVE-2018-0737)
Instru
Ubuntu
OpenSSL vulnerabilities
vendor_ubuntu·2018-06-26·CVSS 4.7
CVE-2018-0495 [MEDIUM] OpenSSL vulnerabilities
Title: OpenSSL vulnerabilities
Summary: Several security issues were fixed in OpenSSL.
USN-3692-1 fixed a vulnerability in OpenSSL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key
generation. An attacker could possibly use this issue to perform a
cache-timing attack and recover private ECDSA keys. (CVE-2018-0495)
Guido Vranken discovered that OpenSSL incorrectly handled very large prime
values during a key agreement. A remote attacker could possibly use this
issue to consume resources, leading to a denial of service. (CVE-2018-0732)
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis
Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA ke
Ubuntu
OpenSSL vulnerability
vendor_ubuntu·2018-04-19
CVE-2018-0737 OpenSSL vulnerability
Title: OpenSSL vulnerability
Summary: OpenSSL could allow access to sensitve information.
USN-3628-1 fixed a vulnerability in OpenSSL. This update provides
the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia
discovered that OpenSSL incorrectly handled RSA key generation. An attacker could possibly
use this issue to perform a cache-timing attack and recover private RSA keys.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
Ubuntu
OpenSSL vulnerability
vendor_ubuntu·2018-04-19
CVE-2018-0737 OpenSSL vulnerability
Title: OpenSSL vulnerability
Summary: OpenSSL could allow access to sensitve information.
Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia
discovered that OpenSSL incorrectly handled RSA key generation. An attacker could possibly
use this issue to perform a cache-timing attack and recover private RSA keys.
Instructions: After a standard system update you need to reboot your computer to make all the necessary changes.
Red Hat
openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys
vendor_redhat·2018-04-16·CVSS 5.9
CVE-2018-0737 [MEDIUM] CWE-385 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys
openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
OpenSSL RSA key generation was found to be vulnerable to cache side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover parts of the private key.
Package: openssl (Red Hat Enterprise Linux 5) - Will not fix
Package: openssl097a (Red Hat Ente
Debian
CVE-2018-0737: openssl - The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a ca...
vendor_debian·2018·CVSS 5.9
CVE-2018-0737 [MEDIUM] CVE-2018-0737: openssl - The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a ca...
The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).
Scope: local
bookworm: resolved (fixed in 1.1.0h-3)
bullseye: resolved (fixed in 1.1.0h-3)
forky: resolved (fixed in 1.1.0h-3)
sid: resolved (fixed in 1.1.0h-3)
trixie: resolved (fixed in 1.1.0h-3)
No detection rules found.
No public exploits indexed.
Bugzilla
side channel vulnerabilities during RSA key generation
bugzilla·2020-04-20
side channel vulnerabilities during RSA key generation
side channel vulnerabilities during RSA key generation
Created attachment 9141851
nss_rsa_beea.png
[filed from mail to security@ from Billy Brumley]
Hello,
I lead a team of researchers specializes in security and applied
cryptography, in particular both SW and HW-based Side Channel Analysis
(SCA). We recently started a project to assess SCA security in NSS. Part
of that assessment turned up some weaknesses in your implementation of
RSA, led by Nacho (in CC).
Please find the report below -- we look forward to opening a dialogue with
you during the disclosure process.
Billy Brumley, D.Sc. (Tech.)
Associate Professor
Tampere University
Tampere, FINLAND
https://research.tuni.fi/nisec/
## Code path
In the attached debug session (debug.txt), using certutil to generate an
RSA key pair, in
Bugzilla
CVE-2018-0737 mingw-openssl: openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys [epel-7]
bugzilla·2018-04-17·CVSS 5.9
CVE-2018-0737 [MEDIUM] CVE-2018-0737 mingw-openssl: openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys [epel-7]
CVE-2018-0737 mingw-openssl: openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bugzilla
CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys [fedora-all]
bugzilla·2018-04-17·CVSS 5.9
CVE-2018-0737 [MEDIUM] CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys [fedora-all]
CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg
Bugzilla
CVE-2018-0737 mingw-openssl: openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys [fedora-all]
bugzilla·2018-04-17·CVSS 5.9
CVE-2018-0737 [MEDIUM] CVE-2018-0737 mingw-openssl: openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys [fedora-all]
CVE-2018-0737 mingw-openssl: openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog
Bugzilla
CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys
bugzilla·2018-04-17·CVSS 5.9
CVE-2018-0737 [MEDIUM] CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys
CVE-2018-0737 openssl: RSA key generation cache timing vulnerability in crypto/rsa/rsa_gen.c allows attackers to recover private keys
OpenSSL before versions 1.0.2p and 1.1.0i are vulnerable to RSA key generation cache timing side channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key.
External References:
https://www.openssl.org/news/secadv/20180416.txt
http://www.openwall.com/lists/oss-security/2018/04/16/3
Upstream Patches:
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787
Discussion:
Created openssl tracking bugs for this issue:
Af
arXiv
Investigating Black-Box Function Recognition Using Hardware Performance Counters
arxiv_fulltext·2022-11-28
Investigating Black-Box Function Recognition Using Hardware Performance Counters
Investigating Black-Box Function Recognition Using Hardware Performance Counters
Carlton Shepherd, Benjamin Semal, and Konstantinos Markantonakis
All authors are of Royal Holloway, University of London, Egham, Surrey, United Kingdom.
E-mail: [email protected].
Shepherd et al.
## Abstract
This paper presents new methods and results for recognising black-box program functions using hardware performance counters (HPC), where an investigator can invoke and measure function calls. Important use cases include analysing compiled libraries, e.g.\ static and dynamic link libraries, and trusted execution environment (TEE) applications. We develop a generic approach to classify a comprehensive set of hardware events, e.g.\ branch mis-predictions and instruction retirements, to recognise standard
arXiv
Cache Refinement Type for Side-Channel Detection of Cryptographic Software
arxiv_fulltext·2022-10-19
Cache Refinement Type for Side-Channel Detection of Cryptographic Software
Cache Refinement Type for Side-Channel Detection of Cryptographic Software
Ke Jiang
Nanyang Technological University
Singapore
Singapore
[email protected]
Yuyan Bao
University of Waterloo
Waterloo
Ontario
Canada
[email protected]
Shuai Wang
Corresponding authors
Hong Kong University of Science and Technology
Hong Kong
China
[email protected]
Zhibo Liu
Hong Kong University of Science and Technology
Hong Kong
China
[email protected]
Tianwei Zhang
Nanyang Technological University
Singapore
Singapore
[1]
[email protected]
## Abstract
Cache side-channel attacks exhibit severe threats to software security and
privacy, especially for cryptosystems. In this paper, we propose , a novel
refinement type-based tool for detecting cache side channels in crypto software.
Compared
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/103766http://www.securitytracker.com/id/1040685https://access.redhat.com/errata/RHSA-2018:3221https://access.redhat.com/errata/RHSA-2018:3505https://access.redhat.com/errata/RHSA-2019:3932https://access.redhat.com/errata/RHSA-2019:3933https://access.redhat.com/errata/RHSA-2019:3935https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=349a41da1ad88ad87825414752a8ff5fdd6a6c3fhttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787https://lists.debian.org/debian-lts-announce/2018/07/msg00043.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/https://security.gentoo.org/glsa/201811-21https://security.netapp.com/advisory/ntap-20180726-0003/https://securityadvisories.paloaltonetworks.com/Home/Detail/133https://usn.ubuntu.com/3628-1/https://usn.ubuntu.com/3628-2/https://usn.ubuntu.com/3692-1/https://usn.ubuntu.com/3692-2/https://www.debian.org/security/2018/dsa-4348https://www.debian.org/security/2018/dsa-4355https://www.openssl.org/news/secadv/20180416.txthttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.tenable.com/security/tns-2018-12https://www.tenable.com/security/tns-2018-13https://www.tenable.com/security/tns-2018-14https://www.tenable.com/security/tns-2018-17http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/103766http://www.securitytracker.com/id/1040685https://access.redhat.com/errata/RHSA-2018:3221https://access.redhat.com/errata/RHSA-2018:3505https://access.redhat.com/errata/RHSA-2019:3932https://access.redhat.com/errata/RHSA-2019:3933https://access.redhat.com/errata/RHSA-2019:3935https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=349a41da1ad88ad87825414752a8ff5fdd6a6c3fhttps://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=6939eab03a6e23d2bd2c3f5e34fe1d48e542e787https://lists.debian.org/debian-lts-announce/2018/07/msg00043.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EWC42UXL5GHTU5G77VKBF6JYUUNGSHOM/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y3IVFGSERAZLNJCK35TEM2R4726XIH3Z/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBEV5QGDRFUZDMNECFXUSN5FMYOZDE4V/https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/https://security.gentoo.org/glsa/201811-21https://security.netapp.com/advisory/ntap-20180726-0003/https://securityadvisories.paloaltonetworks.com/Home/Detail/133https://usn.ubuntu.com/3628-1/https://usn.ubuntu.com/3628-2/https://usn.ubuntu.com/3692-1/https://usn.ubuntu.com/3692-2/https://www.debian.org/security/2018/dsa-4348https://www.debian.org/security/2018/dsa-4355https://www.openssl.org/news/secadv/20180416.txthttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.tenable.com/security/tns-2018-12https://www.tenable.com/security/tns-2018-13https://www.tenable.com/security/tns-2018-14https://www.tenable.com/security/tns-2018-17
2018-04-16
Published