Bug 991464 - (CVE-2016-6489) VUL-0: CVE-2016-6489: libnettle: RSA code is vulnerable to cache-timing related attacks
(CVE-2016-6489)
VUL-0: CVE-2016-6489: libnettle: RSA code is vulnerable to cache-timing relat...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/171499/
CVSSv2:RedHat:CVE-2016-6489:5.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-01 12:00 UTC by Sebastian Krahmer
Modified: 2019-02-03 09:52 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Patch for SLE-12 (2.69 KB, patch)
2017-05-31 15:42 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2016-08-01 12:00:37 UTC
Quoting from RH BZ:

A cache-related side channel was found, in nettle-RSA code. An attacker could use a specially crafted RSA or DSA data, which could make the SSL/TLS connection suspectible to Man-in-the-Middle attacks:

rh#1362016


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1362016
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6489
http://seclists.org/oss-sec/2016/q3/202
https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3
Comment 2 Tomáš Chvátal 2016-08-01 13:06:24 UTC
I checked the problem. Based on discussion on mailinglist it has quite some issues/regressions.

I would recommend actually waiting for upstream to have fix that really works.
Comment 4 Andreas Stieger 2016-10-28 13:17:41 UTC
This is now released upstream in 3.3:

> 	This release fixes a couple of bugs, and improves resistance
> 	to side-channel attacks on RSA and DSA private key operations.
> [...]
> 
> 	* RSA and DSA now use side-channel silent modular
> 	  exponentiation, to defend against attacks on the private key
> 	  from evil processes sharing the same processor cache. This
> 	  attack scenario is of particular relevance when running an
> 	  HTTPS server on a virtual machine, where you don't know who
> 	  you share the cache hardware with.
> 
> 	  (Private key operations on elliptic curves were already
> 	  side-channel silent).
Comment 6 Pedro Monreal Gonzalez 2017-05-31 14:49:04 UTC
Created attachment 727154 [details]
Patch for SLE-12

Hi, I am the new maintainer of this package. After some research, I have seen that the majority of the changes are in commit [1] that switches from function mpz_powm to mpz_powm_sec. Function mpz_powm_sec handles only odd moduli.

As mentioned in [2] and the following messages, there are some other parity checks that must me implemented for this new function to work properly, these are given in commits [3-5]. Note that, commit [3] does not apply in 2.7.1.

I have just submitted to SLE-12:Update. Could you please check that the applied patch does not break anything?

Codestream              Version
-------------------------------------------------------------
Factory                 3.3     Not affected
Leap:42.2:Update        2.7.1   Comes from SUSE:SLE-12:Update
Leap:42.1:Update        2.7.1   Comes from SUSE:SLE-12:GA
SLE-12:Update           2.7.1   mr#133471

[1] https://git.lysator.liu.se/nettle/nettle/commit/3fe1d6549765ecfb24f0b80b2ed086fdc818bff3
[2] https://lists.lysator.liu.se/pipermail/nettle-bugs/2016/003093.html
[3] https://git.lysator.liu.se/nettle/nettle/commit/52b9223126b3f997c00d399166c006ae28669068
[4] https://git.lysator.liu.se/nettle/nettle/commit/5eb30d94f6f5f3f0cb9ba9ed24bc52b7376176b6
[5] https://git.lysator.liu.se/nettle/nettle/commit/c66b5f203861729b7a5f006c6f4368acad878f36
Comment 7 Pedro Monreal Gonzalez 2017-05-31 15:42:27 UTC
Created attachment 727172 [details]
Patch for SLE-12

Updated patch and new maintenance request mr#133484.
Comment 8 Swamp Workflow Management 2017-06-02 16:13:06 UTC
SUSE-SU-2017:1481-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 991464
CVE References: CVE-2016-6489
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libnettle-2.7.1-12.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libnettle-2.7.1-12.1
SUSE Linux Enterprise Server 12-SP2 (src):    libnettle-2.7.1-12.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libnettle-2.7.1-12.1
Comment 9 Swamp Workflow Management 2017-06-12 10:09:27 UTC
openSUSE-SU-2017:1533-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 991464
CVE References: CVE-2016-6489
Sources used:
openSUSE Leap 42.2 (src):    libnettle-2.7.1-10.3.1
Comment 11 Marcus Meissner 2017-10-25 20:00:22 UTC
released
Comment 12 Swamp Workflow Management 2019-02-03 09:52:36 UTC
This is an autogenerated message for OBS integration:
This bug (991464) was mentioned in
https://build.opensuse.org/request/show/670843 15.1 / libnettle