Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Fri, 09 May 2008 18:13:05 +0200
Type : VULN
Sujet : CERT-Renater : 2008/VULN166 (NetBSD: OpenSSL Montgomery multiplication)
====================================================================                                    CERT-Renater

                         Note d'Information No. 2008/VULN166
_____________________________________________________________________

DATE                      : 09/05/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : NetBSD running OpenSSL Montgomery.

======================================================================

		 NetBSD Security Advisory 2008-008
		 =================================

Topic:		OpenSSL Montgomery multiplication

Version:	NetBSD-current:	 	affected
		NetBSD-4.0:	 	affected
		pkgsrc:			openssl packages prior to 0.9.8g

Severity:	Local information disclosure

Fixed:		NetBSD-current:		April 10, 2008
		NetBSD-4-0 branch:	April 13, 2008
			(4.0.1 will include the fix)
		NetBSD-4 branch: 	April 13, 2008
			(4.1 will include the fix)
		pkgsrc:			openssl-0.9.8g corrects the issue


Abstract
========

A local attacker may be able to retrieve another user's RSA private keys.

This vulnerability has been assigned CVE-2007-3108.


Technical Details
=================

Due to OpenSSL not properly performing Montgomery multiplication it
may allow a local attacker to launch a side-channel attack in order
to retrieve user's private RSA keys.


Solutions and Workarounds
=========================

The following instructions describe how to upgrade your OpenSSL
binaries by updating your source tree and rebuilding and
installing a new version of OpenSSL.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2008-04-10
	should be upgraded to NetBSD-current dated 2008-04-11 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/dist/openssl/crypto/bn/bn_mont.c

	To update from CVS, re-build, and re-install OpenSSL:

		# cd src
		# cvs update crypto/dist/openssl/crypto/bn/bn_mont.c
		# cd lib/libcrypt
		# make USETOOLS=no cleandir dependall
		# cd ../../lib/libcrypto
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install
		

* NetBSD 4.*:

	Systems running NetBSD 4.* sources dated from before
	2008-04-13 should be upgraded from NetBSD 4.* sources dated
	2008-04-14 or later.

	The following files/directories need to be updated from the
	netbsd-4 or netbsd-4-0 branches:
		crypto/dist/openssl/crypto/bn/bn_mont.c

	To update from CVS, re-build, and re-install OpenSSL:

		# cd src
		# cvs update -r  \
			crypto/dist/openssl/crypto/bn/bn_mont.c
		# cd lib/libcrypt
		# make USETOOLS=no cleandir dependall
		# cd ../../lib/libcrypto
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Revision History
================

	2008-05-08	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
 
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-008.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-008.txt,v 1.1 2008/05/06 21:36:26 adrianp Exp $

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================