Vigil@nce - OpenSSL: disclosure of DH private key via BN_mod_exp
December 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, with a significant amount of resources, can attack
the DH algorithm, in some OpenSSL usages, in order to compute the
private key.
– Impacted products: Cisco ATA, Cisco AnyConnect Secure Mobility
Client, ASA, AsyncOS, Cisco Content SMA, Cisco ESA, Cisco Nexus,
NX-OS, Cisco Prime Access Registrar, Cisco Prime DCNM, Prime
Infrastructure, Secure ACS, Cisco CUCM, Cisco MeetingPlace, Cisco
WSA, BIG-IP Hardware, TMOS, Fedora, FortiAnalyzer, FortiAnalyzer
Virtual Appliance, FortiClient, FortiGate, FortiGate Virtual
Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS,
IRAD, BIND, OpenSSL, Slackware, stunnel, Ubuntu.
– Severity: 1/4.
– Creation date: 03/12/2015.
DESCRIPTION OF THE VULNERABILITY
The OpenSSL library uses the BN_mod_exp() function to perform a
modular exponentiation on large numbers.
However, on an x86_64 processor, the BN_mod_exp() function can
generate an incorrect result during the Montgomery Squaring
procedure.
An attacker, with a significant amount of resources, can therefore
attack the DH algorithm, in some OpenSSL usages, in order to
compute the private key.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/OpenSSL-disclosure-of-DH-private-key-via-BN-mod-exp-18434