CVE-2016-7055
openssl: Carry propagating bug in Montgomery multiplication
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impossible. This is because the subroutine in question is not used in operations with the private key itself and an input of the attacker's direct choice. Otherwise the bug can manifest itself as transient authentication and key negotiation failures or reproducible erroneous outcome of public-key operations with specially crafted input. Among EC algorithms only Brainpool P-512 curves are affected and one presumably can attack ECDH key negotiation. Impact was not analyzed in detail, because pre-requisites for attack are considered unlikely. Namely multiple clients have to choose the curve in question and the server has to share the private key among them, neither of which is default behaviour. Even then only clients that chose the curve will be affected.
Existe un error de propagación de acarreo en el procedimiento de multiplicación Montgomery Broadwell-specific en OpenSSL 1.0.2 y 1.1.0 en versiones anteriores a la 1.1.0c, que maneja longitudes de entrada divisibles por, pero más largas que 256 bits. El análisis sugiere que los ataques contra las claves privadas RSA, DSA y DH son imposibles. Esto se debe a que dicha subrutina no se utiliza en operaciones con la clave privada y una entrada elegida directamente por el atacante. En caso contrario, el error puede manifestarse como una autenticación transitoria o con errores en la negociación de claves o en un resultado erróneo reproducible en operaciones de clave pública a través de una entrada especialmente diseñada. Entre los algoritmos de Curva Eliptica solo los Brainpool P-512 están afectados y presumiblemente puede atacarse la negociación de claves ECDH. El impacto no se analizó en detalle, ya que los requisitos previos para el ataque se consideran improbables. Notese que varios clientes tienen que elegir la curva en cuestión y el servidor tiene que compartir la clave privada entre ellos, lo que no es un comportamiento por defecto en ningún caso. Incluso en esa situación, sólo los clientes que eligieron la curva se verán afectados.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-08-23 CVE Reserved
- 2016-11-10 CVE Published
- 2024-08-06 CVE Updated
- 2024-10-14 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-682: Incorrect Calculation
CAPEC
References (17)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/94242 | Third Party Advisory | |
| http://www.securitytracker.com/id/1037261 | Third Party Advisory | |
| https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbgn03752en_us | Third Party Advisory | |
| https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03744en_us | Third Party Advisory | |
| https://www.tenable.com/security/tns-2017-04 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:2185 | 2022-09-01 | |
| https://access.redhat.com/errata/RHSA-2018:2186 | 2022-09-01 | |
| https://access.redhat.com/errata/RHSA-2018:2187 | 2022-09-01 | |
| https://security.FreeBSD.org/advisories/FreeBSD-SA-17:02.openssl.asc | 2022-09-01 | |
| https://security.gentoo.org/glsa/201702-07 | 2022-09-01 | |
| https://www.openssl.org/news/secadv/20161110.txt | 2022-09-01 | |
| https://access.redhat.com/security/cve/CVE-2016-7055 | 2018-07-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1393929 | 2018-07-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 1.0.2 < 1.0.2k Search vendor "Openssl" for product "Openssl" and version " >= 1.0.2 < 1.0.2k" | - |
Affected
| ||||||
| Openssl Search vendor "Openssl" | Openssl Search vendor "Openssl" for product "Openssl" | >= 1.1.0 < 1.1.0c Search vendor "Openssl" for product "Openssl" and version " >= 1.1.0 < 1.1.0c" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 4.0.0 <= 4.1.2 Search vendor "Nodejs" for product "Node.js" and version " >= 4.0.0 <= 4.1.2" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 4.2.0 < 4.7.3 Search vendor "Nodejs" for product "Node.js" and version " >= 4.2.0 < 4.7.3" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 6.0.0 <= 6.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 6.0.0 <= 6.8.1" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 6.9.0 < 6.9.5 Search vendor "Nodejs" for product "Node.js" and version " >= 6.9.0 < 6.9.5" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 7.0.0 < 7.5.0 Search vendor "Nodejs" for product "Node.js" and version " >= 7.0.0 < 7.5.0" | - |
Affected
| ||||||