CERT RENATER
Nous contacter
- Mail : cert@support.renater.fr
- Web : Pages du CERT
- Tél : 01.53.94.20.44
- Fax : 01.53.94.20.31
==================================================================== CERT-Renater Note d'Information No. 2008/VULN166 _____________________________________________________________________ DATE : 09/05/2008 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : NetBSD running OpenSSL Montgomery. ====================================================================== NetBSD Security Advisory 2008-008 ================================= Topic: OpenSSL Montgomery multiplication Version: NetBSD-current: affected NetBSD-4.0: affected pkgsrc: openssl packages prior to 0.9.8g Severity: Local information disclosure Fixed: NetBSD-current: April 10, 2008 NetBSD-4-0 branch: April 13, 2008 (4.0.1 will include the fix) NetBSD-4 branch: April 13, 2008 (4.1 will include the fix) pkgsrc: openssl-0.9.8g corrects the issue Abstract ======== A local attacker may be able to retrieve another user's RSA private keys. This vulnerability has been assigned CVE-2007-3108. Technical Details ================= Due to OpenSSL not properly performing Montgomery multiplication it may allow a local attacker to launch a side-channel attack in order to retrieve user's private RSA keys. Solutions and Workarounds ========================= The following instructions describe how to upgrade your OpenSSL binaries by updating your source tree and rebuilding and installing a new version of OpenSSL. * NetBSD-current: Systems running NetBSD-current dated from before 2008-04-10 should be upgraded to NetBSD-current dated 2008-04-11 or later. The following files/directories need to be updated from the netbsd-current CVS branch (aka HEAD): crypto/dist/openssl/crypto/bn/bn_mont.c To update from CVS, re-build, and re-install OpenSSL: # cd src # cvs update crypto/dist/openssl/crypto/bn/bn_mont.c # cd lib/libcrypt # make USETOOLS=no cleandir dependall # cd ../../lib/libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install * NetBSD 4.*: Systems running NetBSD 4.* sources dated from before 2008-04-13 should be upgraded from NetBSD 4.* sources dated 2008-04-14 or later. The following files/directories need to be updated from the netbsd-4 or netbsd-4-0 branches: crypto/dist/openssl/crypto/bn/bn_mont.c To update from CVS, re-build, and re-install OpenSSL: # cd src # cvs update -r\ crypto/dist/openssl/crypto/bn/bn_mont.c # cd lib/libcrypt # make USETOOLS=no cleandir dependall # cd ../../lib/libcrypto # make USETOOLS=no cleandir dependall # make USETOOLS=no install Revision History ================ 2008-05-08 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-008.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/. Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2008-008.txt,v 1.1 2008/05/06 21:36:26 adrianp Exp $ ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================