Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 640210 (CVE-2017-3738) - [TRACKER] rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
Summary: [TRACKER] rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
Status: RESOLVED FIXED
Alias: CVE-2017-3738
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://mta.openssl.org/pipermail/ope...
Whiteboard:
Keywords: Tracker
Depends on: CVE-2017-3737 640212
Blocks:
  Show dependency tree
 
Reported: 2017-12-07 18:23 UTC by Thomas Deutschmann (RETIRED)
Modified: 2018-01-08 16:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-12-07 18:23:25 UTC
rsaz_1024_mul_avx2 overflow bug on x86_64 (CVE-2017-3738)
=========================================================

Severity: Low

There is an overflow bug in the AVX2 Montgomery multiplication procedure
used in exponentiation with 1024-bit moduli. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this defect
would be very difficult to perform and are not believed likely. Attacks
against DH1024 are considered just feasible, because most of the work
necessary to deduce information about a private key may be performed offline.
The amount of resources required for such an attack would be significant.
However, for an attack on TLS to be meaningful, the server would have to share
the DH1024 private key among multiple clients, which is no longer an option
since CVE-2016-0701.

This only affects processors that support the AVX2 but not ADX extensions
like Intel Haswell (4th generation).

Note: The impact from this issue is similar to CVE-2017-3736, CVE-2017-3732
and CVE-2015-3193.

Due to the low severity of this issue we are not issuing a new release of
OpenSSL 1.1.0 at this time. The fix will be included in OpenSSL 1.1.0h when it
becomes available. The fix is also available in commit e502cc86d in the OpenSSL
git repository.

OpenSSL 1.0.2 users should upgrade to 1.0.2n

This issue was reported to OpenSSL on 22nd November 2017 by David Benjamin
(Google). The issue was originally found via the OSS-Fuzz project. The fix was
developed by Andy Polyakov of the OpenSSL development team.
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2018-01-08 16:11:28 UTC
This issue was resolved and addressed in
 GLSA 201712-03 at https://security.gentoo.org/glsa/201712-03
by GLSA coordinator Thomas Deutschmann (whissi).