Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-7056

Опубликовано: 10 янв. 2017
Источник: redhat
CVSS3: 5.5
EPSS Низкий

Описание

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

A timing attack flaw was found in OpenSSL that could allow a malicious user with local access to recover ECDSA P-256 private keys.

Отчет

In order to exploit this flaw, the attacker needs to be have local (shell) access to the machine where the message is being signed using the ECDSA algorithm with a P-256 elliptic curve key. Then using cache timing attacks (which needs precise timing), on multiple signature runs, the private key could be obtained. Based on the factor that exploitation is difficult, Red Hat Product Security Team has rated this flaw as having Moderate impact. A further security release may address this flaw.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5opensslNot affected
Red Hat Enterprise Linux 5openssl097aNot affected
Red Hat Enterprise Linux 6opensslOut of support scope
Red Hat Enterprise Linux 6openssl098eNot affected
Red Hat Enterprise Linux 7openssl098eNot affected
Red Hat Enterprise Virtualization 3mingw-virt-viewerWill not fix
Red Hat JBoss Enterprise Application Platform 6opensslNot affected
Red Hat JBoss Enterprise Web Server 1opensslWill not fix
Red Hat JBoss Enterprise Web Server 2opensslNot affected
Red Hat JBoss Web Server 3opensslFix deferred

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-385
https://bugzilla.redhat.com/show_bug.cgi?id=1412120openssl: ECDSA P-256 timing attack key recovery

EPSS

Процентиль: 56%
0.00334
Низкий

5.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2016-7056

CVSS3: 5.5
ubuntu
больше 7 лет назад

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

nvd логотип

CVE-2016-7056

CVSS3: 5.5
nvd
больше 7 лет назад

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

debian логотип

CVE-2016-7056

CVSS3: 5.5
debian
больше 7 лет назад

A timing attack flaw was found in OpenSSL 1.0.1u and before that could ...

suse-cvrf логотип

openSUSE-SU-2017:0409-1

suse-cvrf
около 9 лет назад

Security update for libressl

github логотип

GHSA-9f4v-cw9w-g4cw

CVSS3: 5.5
github
больше 3 лет назад

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

EPSS

Процентиль: 56%
0.00334
Низкий

5.5 Medium

CVSS3