// For flags

CVE-2024-13176

Timing side-channel in ECDSA signature computation

Severity Score

4.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Issue summary: A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring
the timing would require either local access to the signing application or
a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the attacker
process must either be located in the same physical computer or must
have a very fast network connection with low latency. For that reason
the severity of this vulnerability is Low.

Issue summary: A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring
the timing would require either local access to the signing application or
a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the attacker
process must either be located in the same physical computer or must
have a very fast network connection with low latency. For that reason
the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.

George Pantelakis and Alicja Kario discovered that OpenSSL had a timing side-channel when performing ECDSA signature computations. A remote attacker could possibly use this issue to recover private data. It was discovered that OpenSSL incorrectly handled certain memory operations when using low-level GF elliptic curve APIs with untrusted explicit values for the field polynomial. When being used in this uncommon fashion, a remote attacker could use this issue to cause OpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code.

*Credits: George Pantelakis (Red Hat), Alicja Kario (Red Hat), Tomáš Mráz
CVSS Scores
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-01-07 CVE Reserved
  • 2025-01-20 CVE Published
  • 2025-03-18 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-385: Covert Timing Channel
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
OpenSSL
Search vendor "OpenSSL"
 OpenSSL
Search vendor "OpenSSL" for product "OpenSSL"
 >= 3.4.0 < 3.4.1
Search vendor "OpenSSL" for product "OpenSSL" and version " >= 3.4.0 < 3.4.1"
en
Affected
OpenSSL
Search vendor "OpenSSL"
 OpenSSL
Search vendor "OpenSSL" for product "OpenSSL"
 >= 3.3.0 < 3.3.3
Search vendor "OpenSSL" for product "OpenSSL" and version " >= 3.3.0 < 3.3.3"
en
Affected
OpenSSL
Search vendor "OpenSSL"
 OpenSSL
Search vendor "OpenSSL" for product "OpenSSL"
 >= 3.2.0 < 3.2.4
Search vendor "OpenSSL" for product "OpenSSL" and version " >= 3.2.0 < 3.2.4"
en
Affected
OpenSSL
Search vendor "OpenSSL"
 OpenSSL
Search vendor "OpenSSL" for product "OpenSSL"
 >= 3.1.0 < 3.1.8
Search vendor "OpenSSL" for product "OpenSSL" and version " >= 3.1.0 < 3.1.8"
en
Affected
OpenSSL
Search vendor "OpenSSL"
 OpenSSL
Search vendor "OpenSSL" for product "OpenSSL"
 >= 3.0.0 < 3.0.16
Search vendor "OpenSSL" for product "OpenSSL" and version " >= 3.0.0 < 3.0.16"
en
Affected