PT-2015-3202 · Gnu+5 · Nettle+5

Hanno Böck

·

Published

2015-12-31

·

Updated

2018-10-30

·

CVE-2015-8803

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Nettle versions prior to 3.2
Description The issue is related to the ecc 256 modp function in ecc-256.c, which does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve. This allows attackers to have an unspecified impact via unknown vectors. The vulnerability may allow a remote attacker to affect the confidentiality, integrity, and availability of protected information due to errors in cryptographic transformations.
Recommendations For versions prior to 3.2, update to version 3.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the ecc 256 modp function until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-310CWE-254

Related Identifiers

ALT-PU-2016-1076
BDU:2016-00709
CESA-2016_2582
CVE-2015-8803
MGASA-2016-0061
OPENSUSE-SU-2024:10339-1
RHSA-2016:2582
RHSA-2016_2582
SUSE-SU-2016:0455-1
SUSE-SU-2016_0455-1
USN-2897-1

Affected Products

Alt Linux
Centos
Nettle
Red Hat
Suse
Ubuntu