Main Vulnerability Database Vulnerabilities #VU13400

Information disclosure in MatrixSSL - CVE-2018-12439

Published: June 18, 2018 / Updated: June 20, 2018

Vulnerability identifier: #VU13400

CSH Severity: Low

CVSS v4.0:

CVE-ID: CVE-2018-12439

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: InsideSecure

Affected software:
MatrixSSL

Detailed vulnerability description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists in the MatrixSSL library due to a leakage of information through memory caches when the library uses a private key to create Elliptic Curve Digital Signature Algorithm (ECDSA) signatures as demonstrayed in the dsa/dsa.cpp, ec_group/ec_group.cpp, and ecdsa/ecdsa.cpp source code files. A local attacker can conduct a memory-cache side-channel attack and recover sensitive information, such ECDSA private keys, which could be used to conduct further attacks.

How to mitigate CVE-2018-12439

Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.

Sources

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

Information disclosure in MatrixSSL - CVE-2018-12439

Detailed vulnerability description

How to mitigate CVE-2018-12439

Sources

Please verify you're human