PT-2016-3418 · Openssl+12 · Openssl+15
Billy Brumley
+2
·
Published
2016-06-08
·
Updated
2024-06-15
·
CVE-2016-2178
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
OpenSSL versions 1.0.2h and earlier
Description
The issue is related to the
dsa sign setup function in OpenSSL, which does not ensure the use of constant-time operations. This makes it easier for local users to discover a DSA private key via a timing side-channel attack. The vulnerability can allow an attacker to recover the DSA private key under certain conditions, potentially affecting SSH servers that use DSA keys.Recommendations
For OpenSSL versions 1.0.2h and earlier, consider upgrading to a version that addresses this issue, as the current version does not properly ensure the use of constant-time operations, making it vulnerable to timing side-channel attacks.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
DoS
Information Disclosure
Side Channel Attack
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Centos
Cisco Asa
Cisco Ios Xr
Cisco Nexus
Cisco Wls
Fortios
Freebsd
Huawei Vrp
Ibm Aix
Junos
Nessus
Openssl
Red Hat
Suse
Ubuntu