Richard Morgan

**Name of the Vulnerable Software and Affected Versions** OpenSSL versions 1.0.2 and 1.1.0 through 1.1.0b **Description** The issue is related to a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL, which handles input lengths divisible by, but longer than 256 bits. This bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms, only Brainpool P-512 curves are affected, and it is presumed that an attacker could exploit this vulnerability to attack ECDH key negotiation. The prerequisites for an attack are considered unlikely, as multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behavior. **Recommendations** For OpenSSL versions 1.0.2 and 1.1.0 through 1.1.0b, update to version 1.1.0c or later to resolve the issue. As a temporary workaround, consider restricting the use of Brainpool P-512 curves in EC algorithms to minimize the risk of exploitation. Avoid using the affected Montgomery multiplication procedure in OpenSSL until the issue is resolved.