-
Notifications
You must be signed in to change notification settings - Fork 17.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/elliptic: CPU DoS vulnerability affecting P-521 and P-384 #29903
Comments
Change https://golang.org/cl/159218 mentions this issue: |
Can you elaborate on this, thank you: "if an ECDH private key is reused more than once, the attack can also lead to key recovery." |
If ECDH is used in an Ephemeral-Static protocol, the attacker can use multiple tries to recover the static private key. crypto/tls does not reuse ECDH private keys, so is unaffected, but certain JWT encryption modes are based on ECDH-ES, so would be affected if the private key is a P-384 or P-521 key. |
Was this issue introduced with go v1.10? Should we be updating projects using versions below v1.10? |
This is going directly to stable on amd64. Bug: golang/go#29903 Copyright: Sony Interactive Entertainment Inc. Package-Manager: Portage-2.3.56, Repoman-2.3.12 RepoMan-Options: --force Signed-off-by: William Hubbs <[email protected]>
Resolves CVE-2019-6486. See details at golang/go#29903. Signed-off-by: Patrick McCarty <[email protected]>
No, this was introduced earlier, but we only support the last two Go releases. |
Out of curiosity, why didn't we remove this "Add(P)" altogether ? Mod(P) is always called afterwards and the specification of big.Int.Mod says it will never return a negative number if P > 0. |
@remyoudompheng Security patches aim to be as minimal as possible. A follow-up change will indeed significantly simplify that function. |
golang issue golang/go#29903 K8S issue kubernetes/kubernetes#73238
**What this PR does / why we need it**: > We have just released Go 1.11.5 and Go 1.10.8 to address a recently reported security issue. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.5). > > This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU. > > These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery. > > The issue is CVE-2019-6486 and Go issue golang/go#29903. See the Go issue for more details. K8S issue kubernetes/kubernetes#73238 **Which issue(s) this PR fixes**: n/a **Special notes for your reviewer**: **Release note**: <!-- Write your release note: 1. Enter your release note in the below block. 2. If no release note is required, just write "NONE" within the block. Format of block header: <category> <target_group> Possible values: - category: improvement|noteworthy|action - target_group: user|operator --> ```improvement operator NONE ``` /cc @ThormaehlenFred
If beta8 is unusually large, the addition loop might take a very long time to bring x3-beta8 back positive. This would lead to a DoS vulnerability in the implementation of the P-521 and P-384 elliptic curves that may let an attacker craft inputs to ScalarMult that consume excessive amounts of CPU. This fixes CVE-2019-6486. Fixes golang#29903 Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a Reviewed-on: https://team-review.git.corp.google.com/c/399777 Reviewed-by: Adam Langley <[email protected]> Reviewed-by: Julie Qiu <[email protected]> Reviewed-on: https://go-review.googlesource.com/c/159218 Reviewed-by: Julie Qiu <[email protected]>
Upstream only supports two latest releases. golang/go#29903 (comment) (cherry picked from commit a687ef9)
This was not mentioned in the announcement by my mistake, but this issue was found by running Wycheproof test vectors, and reported by the Wycheproof team. |
golang issue golang/go#29903 K8S issue kubernetes/kubernetes#73238
A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
This issue is CVE-2019-6486. It was found and reported by the Wycheproof project.
The text was updated successfully, but these errors were encountered: