bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 1480 bytes --]

Recently a new side-channel key extraction technique was published as
CVE-2018-0495, and it affects a lot of the cryptographic libraries we
package:

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/?style=Cyber+Security

An excerpt from that advisory:

------
We analyzed the source code of several open source cryptographic
libraries to see if they contain the vulnerable code pattern in the code
for ECDSA, DSA, or both. This list is accurate to the best of our
knowledge, but it is not exhaustive. Only the first group was affected
by this finding; the other three groups are not thought to be
vulnerable.

Contains vulnerable pattern: CryptLib (Both), LibreSSL (Both), Mozilla
NSS (Both), Botan (ECDSA), OpenSSL (ECDSA), WolfCrypt (ECDSA), Libgcrypt
(ECDSA), LibTomCrypt (ECDSA), LibSunEC (ECDSA), MatrixSSL (ECDSA),
BoringSSL (DSA)

Non-constant math, but different pattern: BouncyCastle, Crypto++, Golang
crypto/tls, C#/Mono, mbedTLS, Trezor Crypto, Nettle (DSA)

Constant time-math: Nettle (ECDSA), BearSSL, Libsecp256k1

Does not implement either: NaCl
------

Note that libtomcrypt is bundled in the Dropbear SSH implementation.

I'm going to test the libgcrypt update now.

I'd like for other Guix hackers to "claim" an affected package in this
thread, and then investigate and test the fixes. Please make new debbugs
tickets on guix-patches for each bug-fix patch you propose, and send the
links to those tickets here.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 93 bytes --]

I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!

I'll try OpenSSL next.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Gábor Boskovits]

[-- Attachment #1: Type: text/plain, Size: 182 bytes --]

2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:

> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!
>
> I'll try OpenSSL next.
>

I'll try libressl.

[-- Attachment #2: Type: text/html, Size: 517 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 393 bytes --]

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:
> > I'll try OpenSSL next.

They committed a fix but haven't released an update yet:

https://github.com/openssl/openssl/commit/a3e9d5aa980f238805970f420adf5e903d35bf09

There is also an unrelated security advisory for a DoS bug from 2 days
ago:

https://www.openssl.org/news/secadv/20180612.txt

I'll try grafting these patches.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Gábor Boskovits]

[-- Attachment #1: Type: text/plain, Size: 393 bytes --]

2018-06-14 21:53 GMT+02:00 Gábor Boskovits <boskovits@gmail.com>:

> 2018-06-14 21:50 GMT+02:00 Leo Famulari <leo@famulari.name>:
>
>> I see that Efraim already updated libgcrypt. Awesome, thanks Efraim!
>>
>> I'll try OpenSSL next.
>>
>
> I'll try libressl.
>
Here it is: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31832
<https://debbugs.gnu.org/cgi/bugreport.cgi?bug=31832>

[-- Attachment #2: Type: text/html, Size: 1069 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 225 bytes --]

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:
> I'll try OpenSSL next.

I sent patches for both branches of OpenSSL:

version 1.0.2:

<https://bugs.gnu.org/31834>

version 1.1.0:

<https://bugs.gnu.org/31833>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 160 bytes --]

On Thu, Jun 14, 2018 at 03:50:49PM -0400, Leo Famulari wrote:
> I'll try OpenSSL next.

Patched pushed for both OpenSSL branches, closing bugs 31833 and 31834.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 72 bytes --]

Fixed in Botan in Guix commit cfe255684cc4deb164d0eaaa2e1ed9804b5ff651.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Gábor Boskovits]

[-- Attachment #1: Type: text/plain, Size: 209 bytes --]

Leo Famulari <leo@famulari.name> ezt írta (időpont: 2018. júl. 16., H 8:22):

> Fixed in Botan in Guix commit cfe255684cc4deb164d0eaaa2e1ed9804b5ff651.
>
Are there any more packages needing attention?

[-- Attachment #2: Type: text/html, Size: 762 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 727 bytes --]

On Mon, Jul 16, 2018 at 08:53:56AM +0200, Gábor Boskovits wrote:
> Are there any more packages needing attention?

libtomcrypt version 1.18.2 includes a fix; we would need to adapt this
to the bundled copy in Dropbear. I can take a look at this today.

NSS was fixed in Guix commit 7c3bea7e6299e1026c7964c83986a6b6c220879a by
Marius. Thanks, Marius!

The advisory mentions similar but not indentical issues in these
packages:

There is a new release of Crypto++ available. I'm not sure if this
addresses whatever issue was mentioned in the original advisory.

mbedTLS's changelog doesn't mention anything related to key extraction
side channels.

I don't see any related commits in Go's crypto/tls Git repo.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 577 bytes --]

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> libtomcrypt version 1.18.2 includes a fix; we would need to adapt this
> to the bundled copy in Dropbear. I can take a look at this today.

Dropbear's bundled libtomcrypt includes a variety of whitespace and
comment changes that make it non-trivial to compare the actual
differences between the codebases.

I'm not going to work on adapting the upstream patch for Dropbear, but
of course others are welcome to do it :) Otherwise I assume the Dropbear
team will include the fixes whenever they make a new release.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

bug#31831: CVE-2018-0495 Key Extraction Side Channel in Multiple Crypto Libraries

[Leo Famulari]

[-- Attachment #1: Type: text/plain, Size: 896 bytes --]

On Mon, Jul 16, 2018 at 01:14:30PM -0400, Leo Famulari wrote:
> There is a new release of Crypto++ available. I'm not sure if this
> addresses whatever issue was mentioned in the original advisory.

Crypto++ was updated to 8.0.0 in January 2019.

https://www.cryptopp.com/release800.html

> mbedTLS's changelog doesn't mention anything related to key extraction
> side channels.

mbedTLS has been updated several times since this bug was opened, and is
currently at 2.16.0.

https://github.com/ARMmbed/mbedtls/blob/fb1972db23da39bd11d4f9c9ea6266eee665605b/ChangeLog

Neither of those upstreams have mentioned CVE-2018-0495, as far as I can
tell. The original advisory said they do not use the vulnerable pattern,
but do use "non-constant math, but different pattern".

Overall, I don't think there is anything left for us to do as a distro
in response to CVE-2018-0495, so I am closing this bug.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]