CVE-2019-1547

ECDSA remote timing attack

Severity Score

4.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c). Fixed in OpenSSL 1.1.0l (Affected 1.1.0-1.1.0k). Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s).

Normalmente en los grupos EC de OpenSSL siempre tienen un cofactor presente y este es usado en rutas de código resistentes a canales laterales. Sin embargo, en ciertos casos, es posible construir un grupo usando parámetros explícitos (en lugar de usar una curva nombrada). En esos casos, es posible que dicho grupo no tenga el cofactor presente. Esto puede ocurrir incluso cuando todos los parámetros coinciden con una curva de nombre conocido. Si es utilizada dicha curva, entonces OpenSSL recurre a rutas de código resistentes a canales no laterales lo que puede resultar en una recuperación de clave completa durante una operación de firma ECDSA. Para que sea vulnerable, un atacante tendría que tener la capacidad de cronometrar la creación de un gran número de firmas donde parámetros explícitos sin cofactor presente están en uso mediante una aplicación que utiliza libcrypto. Para evitar dudas, libssl no es vulnerable porque nunca se utilizan parámetros explícitos. Corregido en OpenSSL versión 1.1.1d (afectada la versión 1.1.1-1.1.1c). Corregido en OpenSSL versión 1.1.0l (afectada la versión 1.1.0-1.1.0k). Corregida en OpenSSL versión 1.0.2t (afectada la versión 1.0.2-1.0.2s).

Robert Merget, Marcus Brinkmann, Nimrod Aviram, and Juraj Somorovsky discovered that certain Diffie-Hellman ciphersuites in the TLS specification and implemented by OpenSSL contained a flaw. A remote attacker could possibly use this issue to eavesdrop on encrypted communications. This was fixed in this update by removing the insecure ciphersuites from OpenSSL. Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley discovered that OpenSSL incorrectly handled ECDSA signatures. An attacker could possibly use this issue to perform a timing side-channel attack and recover private ECDSA keys. This issue only affected Ubuntu 18.04 LTS. Various other issues were also addressed.

*Credits: Cesar Pereida García, Sohaib ul Hassan, Nicola Tuveri, Iaroslav Gridin, Alejandro Cabrera Aldaya, and Billy Brumley

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2018-11-28 CVE Reserved
2019-09-10 CVE Published
2024-09-16 CVE Updated
2025-04-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-602: Client-Side Enforcement of Server-Side Security

CAPEC

References (37)

URL	Tag	Source
http://packetstormsecurity.com/files/154467/Slackware-Security-Advisory-openssl-Updates.html
https://arxiv.org/abs/1909.01785	Third Party Advisory
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=21c856b75d81eff61aa63b4f036bb64a85bf6d46
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=30c22fa8b1d840036b8e203585738df62a03cec8
https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7c1709c2da5414f5b6133d00a03fc8c5bf996c7a
https://kc.mcafee.com/corporate/index?page=content&id=SB10365
https://lists.debian.org/debian-lts-announce/2019/09/msg00026.html	Mailing List
https://seclists.org/bugtraq/2019/Oct/0	Mailing List
https://seclists.org/bugtraq/2019/Oct/1	Mailing List
https://seclists.org/bugtraq/2019/Sep/25	Mailing List
https://security.netapp.com/advisory/ntap-20190919-0002
https://security.netapp.com/advisory/ntap-20200122-0002
https://security.netapp.com/advisory/ntap-20200416-0003
https://security.netapp.com/advisory/ntap-20240621-0006
https://support.f5.com/csp/article/K73422160?utm_source=f5support&amp%3Butm_medium=RSS
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.tenable.com/security/tns-2019-08
https://www.tenable.com/security/tns-2019-09

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00054.html	2024-06-21
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00072.html	2024-06-21
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00012.html	2024-06-21
http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00016.html	2024-06-21
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GY6SNRJP2S7Y42GIIDO3HXPNMDYN2U3A	2024-06-21
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZN4VVQJ3JDCHGIHV4Y2YTXBYQZ6PWQ7E	2024-06-21
https://security.gentoo.org/glsa/201911-04	2024-06-21
https://usn.ubuntu.com/4376-1	2024-06-21
https://usn.ubuntu.com/4376-2	2024-06-21
https://usn.ubuntu.com/4504-1	2024-06-21
https://www.debian.org/security/2019/dsa-4539	2024-06-21
https://www.debian.org/security/2019/dsa-4540	2024-06-21
https://www.openssl.org/news/secadv/20190910.txt	2024-06-21
https://access.redhat.com/security/cve/CVE-2019-1547	2020-04-28
https://bugzilla.redhat.com/show_bug.cgi?id=1752090	2020-04-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.0.2 <= 1.0.2s Search vendor "Openssl" for product "Openssl" and version " >= 1.0.2 <= 1.0.2s"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.1.0 <= 1.1.0k Search vendor "Openssl" for product "Openssl" and version " >= 1.1.0 <= 1.1.0k"		-		Affected
Openssl Search vendor "Openssl"		Openssl Search vendor "Openssl" for product "Openssl"				>= 1.1.1 <= 1.1.1c Search vendor "Openssl" for product "Openssl" and version " >= 1.1.1 <= 1.1.1c"		-		Affected