CVE-2016-7055

Priority
Description
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that
handles input lengths divisible by, but longer than 256 bits. Analysis
suggests that attacks against RSA, DSA and DH private keys are impossible.
This is because the subroutine in question is not used in operations with
the private key itself and an input of the attacker's direct choice.
Otherwise the bug can manifest itself as transient authentication and key
negotiation failures or reproducible erroneous outcome of public-key
operations with specially crafted input. Among EC algorithms only Brainpool
P-512 curves are affected and one presumably can attack ECDH key
negotiation. Impact was not analyzed in detail, because pre-requisites for
attack are considered unlikely. Namely multiple clients have to choose the
curve in question and the server has to share the private key among them,
neither of which is default behaviour. Even then only clients that chose
the curve will be affected.
Assigned-to
mdeslaur
Notes
mdeslauronly affects 1.0.2 and 1.1.0
Package
Upstream:needs-triage
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (1.0.1f-1ubuntu2.21)
Ubuntu 16.04 LTS (Xenial Xerus):released (1.0.2g-1ubuntu4.6)
Patches:
Upstream:https://git.openssl.org/?p=openssl.git;a=commit;h=2fac86d9abeaa643677d1ffd0a139239fdf9406a (master)
Upstream:https://git.openssl.org/?p=openssl.git;a=commit;h=57c4b9f6a2f800b41ce2836986fe33640f6c3f8a (1.0.2)
Package
Upstream:not-affected
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was not-affected)
Ubuntu 16.04 LTS (Xenial Xerus):DNE
More Information

Updated: 2020-01-29 19:56:29 UTC (commit 768ceb2fdee6790d707d0f681e1b54916744af1e)