CVE-2019-1551

Name of the Vulnerable Software and Affected Versions OpenSSL versions 1.1.1 through 1.1.1d OpenSSL versions 1.0.2 through 1.0.2t

Description The issue is related to an overflow bug in the x64 64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible, but the target would have to re-use the DH512 private key, which is not recommended. Also, applications directly using the low level API BN mod exp may be affected if they use BN FLG CONSTTIME.

Recommendations For OpenSSL versions 1.1.1 through 1.1.1d, update to OpenSSL 1.1.1e. For OpenSSL versions 1.0.2 through 1.0.2t, update to OpenSSL 1.0.2u. As a temporary workaround, consider restricting the use of the BN mod exp function with BN FLG CONSTTIME until a patch is available. Avoid re-using the DH512 private key to minimize the risk of exploitation.