OpenSSL: ECDSA P-256 timing attack key recovery

Submitted on 11. January 2017 - 17:31 by rischi.
Last update on 10. March 2017 - 17:17.

IDs:

CVE-2016-7056

Keywords:

OpenSSL, ECDSA, P-256

Description:

OpenSSL 1.0.1u and previous versions are affected by a timing attack vulnerability [1]. A local user may be able to extract the private key.

Airlock WAF is not affected.

Details:

Airlock WAF 6.0 and 6.1 are using OpenSSL version 1.0.2 which is not affected.

Airlock WAF 5.3.1 is using the affected OpenSSL version 1.0.1. Exploiting the vulnerability required local access to the system. There are no interactive local users in Airlock WAF besides root which is trusted and has access to the private key anyway.

Resolution:

No action required.

Component:

Airlock

Airlock Vulnerability Status:

Does not affect Airlock

Back-end Vulnerability Status:

No action required

Reference:

seclists.org: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)

Main menu

Navigation

User menu

You are here

OpenSSL: ECDSA P-256 timing attack key recovery

Main menu

Search form

Navigation

User menu

You are here

OpenSSL: ECDSA P-256 timing attack key recovery