// For flags

CVE-2018-0495

ROHNP: Key Extraction Side Channel in Multiple Crypto Libraries

Severity Score

4.7
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated through the use of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.

Libgcrypt en versiones anteriores a la 1.7.10 y versiones 1.8.x anteriores a la 1.8.3 permite un ataque de canal lateral por caché de memoria en las firmas ECDSA que se puede mitigar mediante el uso de la ocultación durante el proceso de firmado en la función _gcry_ecc_ecdsa_sign en cipher/ecc-ecdsa.c. Esto también se conoce como Return Of the Hidden Number Problem o ROHNP. Para descubrir una clave ECDSA, el atacante necesita acceso a la máquina local o a una máquina virtual diferente en el mismo host físico.

Keegan Ryan discovered that OpenSSL incorrectly handled ECDSA key generation. An attacker could possibly use this issue to perform a cache-timing attack and recover private ECDSA keys. Guido Vranken discovered that OpenSSL incorrectly handled very large prime values during a key agreement. A remote attacker could possibly use this issue to consume resources, leading to a denial of service. Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia discovered that OpenSSL incorrectly handled RSA key generation. An attacker could possibly use this issue to perform a cache-timing attack and recover private RSA keys. Various other issues were also addressed.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2017-11-27 CVE Reserved
  • 2018-06-13 CVE Published
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-203: Observable Discrepancy
CAPEC
References (23)
URL Tag Source
http://www.securitytracker.com/id/1041144 Third Party Advisory
http://www.securitytracker.com/id/1041147 Third Party Advisory
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=9010d1576e278a4274ad3f4aa15776c28f6ba965 X_refsource_misc
https://lists.debian.org/debian-lts-announce/2018/06/msg00013.html Mailing List
URL Date SRC
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem 2024-08-05
URL Date SRC
https://dev.gnupg.org/T4011 2023-11-07
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html 2023-11-07
URL Date SRC
https://access.redhat.com/errata/RHSA-2018:3221 2023-11-07
https://access.redhat.com/errata/RHSA-2018:3505 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1296 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1297 2023-11-07
https://access.redhat.com/errata/RHSA-2019:1543 2023-11-07
https://access.redhat.com/errata/RHSA-2019:2237 2023-11-07
https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html 2023-11-07
https://usn.ubuntu.com/3689-1 2023-11-07
https://usn.ubuntu.com/3689-2 2023-11-07
https://usn.ubuntu.com/3692-1 2023-11-07
https://usn.ubuntu.com/3692-2 2023-11-07
https://usn.ubuntu.com/3850-1 2023-11-07
https://usn.ubuntu.com/3850-2 2023-11-07
https://www.debian.org/security/2018/dsa-4231 2023-11-07
https://access.redhat.com/security/cve/CVE-2018-0495 2020-04-14
https://bugzilla.redhat.com/show_bug.cgi?id=1591163 2020-04-14
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Gnupg
Search vendor "Gnupg"
 Libgcrypt
Search vendor "Gnupg" for product "Libgcrypt"
 < 1.7.10
Search vendor "Gnupg" for product "Libgcrypt" and version " < 1.7.10"
-
Affected
Gnupg
Search vendor "Gnupg"
 Libgcrypt
Search vendor "Gnupg" for product "Libgcrypt"
 >= 1.8.0 < 1.8.3
Search vendor "Gnupg" for product "Libgcrypt" and version " >= 1.8.0 < 1.8.3"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 12.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04"
esm
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 17.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 18.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Redhat
Search vendor "Redhat"
 Ansible Tower
Search vendor "Redhat" for product "Ansible Tower"
 3.3
Search vendor "Redhat" for product "Ansible Tower" and version "3.3"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Desktop
Search vendor "Redhat" for product "Enterprise Linux Desktop"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Desktop" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"
-
Affected
Oracle
Search vendor "Oracle"
 Traffic Director
Search vendor "Oracle" for product "Traffic Director"
 11.1.1.9.0
Search vendor "Oracle" for product "Traffic Director" and version "11.1.1.9.0"
-
Affected