PT-2014-1312 · Openssl+5 · Openssl+5

Publicado

2014-03-25

Atualizado

2024-06-15

CVE-2014-0076

CVSS v2.0

1.9

Baixa

Vetor

AV:L/AC:M/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.0.0 through 1.0.0l OpenSSL versions prior to 1.0.1g

Description The Montgomery ladder implementation in OpenSSL does not ensure constant-time behavior for certain swap operations, making it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack. Multiple vulnerabilities in the OpenSSL package can lead to confidentiality breaches, and exploitation can be done remotely.

Recommendations For OpenSSL versions 1.0.0 through 1.0.0l, consider updating to a version with a fixed Montgomery ladder implementation. For OpenSSL versions prior to 1.0.1g, update to version 1.0.1g or later to address the vulnerabilities. As a temporary workaround, consider restricting access to sensitive operations that rely on the Montgomery ladder implementation until a patch is available.

Exploit

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-310

Identificadores relacionados

ALT-PU-2014-1451

BDU:2015-00130

BDU:2015-00131

BDU:2015-09760

CVE-2014-0076

DLA-0003-1

DSA-2908-1

HPSBUX03046

MGASA-2014-0165

OPENSUSE-SU-2016_0640-1

OPENSUSE-SU-2024:10271-1

OPENSUSE-SU-2024:10529-1

OPENSUSE-SU-2024:11127-1

SUSE-FU-2022:0445-1

SUSE-SU-2014_0538-1

SUSE-SU-2014_0539-1

SUSE-SU-2014_0541-1

SUSE-SU-2014_0761-1

SUSE-SU-2015:0545-1

SUSE-SU-2015:0545-2

SUSE-SU-2015:1182-1

SUSE-SU-2015:1182-2

SUSE-SU-2015:1184-1

SUSE-SU-2015:1184-2

SUSE-SU-403

Produtos afetados

Alt Linux

Hp-Ux

Huawei Vrp

Junos

Openssl

Suse

PT-2014-1312 · Openssl+5 · Openssl+5

CVE-2014-0076

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 485