Main Vulnerability Database Vulnerabilities #VU14438

#VU14438 Memory-cache side-channel timing attack in LibreSSL - CVE-2018-12434

Published: August 14, 2018 / Updated: August 16, 2018

Vulnerability identifier: #VU14438

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-12434

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
LibreSSL

Software vendor:
OpenBSD

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to information leak via memory caches when modular addition calculations may not run in constant time when private keys are used to generate Elliptic Curve Digital Signature Algorithm (ECDSA) or Digital Signature Algorithm (DSA) signatures. A local attacker can conduct memory-cache side-channel timing attacks and recover sensitive information, such as the ECDSA or DSA private keys used to generate the signatures, which could be used to conduct additional attacks.

Remediation

Update to version 2.6.5, 2.7.4.

#VU14438 Memory-cache side-channel timing attack in LibreSSL - CVE-2018-12434

Description

Remediation

External links

Please verify you're human