Skip to content

RVD#1463: The OpenSSL RSA Key generation algorithm is vulnerable to a cache timing side channel attack #1463

New issue
New issue
Open
Open
RVD#1463: The OpenSSL RSA Key generation algorithm is vulnerable to a cache timing side channel attack#1463
Labels
robot component: Universal Robots Controllerrobot: UR10robot: UR3robot: UR5severity: medium4.0 - 6.9triageNeeds triagevendor: Universal Robotsvulnerability
@rvd-bot

Description

@rvd-bot
rvd-bot
opened on Apr 2, 2020
{
    "id": 1463,
    "title": "RVD#1463: The OpenSSL RSA Key generation algorithm is vulnerable to a cache timing side channel attack",
    "type": "vulnerability",
    "description": "The OpenSSL RSA Key generation algorithm has been shown to be vulnerable to a cache timing side channel attack. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. Fixed in OpenSSL 1.1.0i-dev (Affected 1.1.0-1.1.0h). Fixed in OpenSSL 1.0.2p-dev (Affected 1.0.2b-1.0.2o).",
    "cwe": "CWE-327",
    "cve": "CVE-2018-0737",
    "keywords": [
        "openssl",
        "libssl"
    ],
    "system": "URx",
    "vendor": "Universal Robots",
    "severity": {
        "rvss-score": 6.5,
        "rvss-vector": "RVSS:1.0/AV:RN/AC:H/PR:N/UI:N/Y:T/S:U/C:H/I:N/A:N/H:U",
        "severity-description": "medium",
        "cvss-score": 5.9,
        "cvss-vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
    },
    "links": [
        "https://nvd.nist.gov/vuln/detail/CVE-2018-0737",
        "https://security-tracker.debian.org/tracker/CVE-2018-0737",
        "https://www.openssl.org/news/secadv/20180416.txt",
        "https://eprint.iacr.org/2018/367",
        "https://github.com/aliasrobotics/RVD/issues/1463"
    ],
    "flaw": {
        "phase": "exploitation",
        "specificity": "N/A",
        "architectural-location": "third-party",
        "application": "openssl",
        "subsystem": "N/A",
        "package": "libssl1.0.0 1.0.1e-2+deb7u13 i386",
        "languages": "C",
        "date-detected": null,
        "detected-by": "Victor Mayoral Vilches and Lander Usategui San Juan (Alias Robotics)",
        "detected-by-method": "N/A",
        "date-reported": "2020-04-02",
        "reported-by": "Alejandro Cabrera Aldaya, Billy Brumley, Cesar Pereida Garcia and Luis Manuel Alvarez Tapia (original bug); Alias Robotics S.L.",
        "reported-by-relationship": "N/A",
        "issue": "https://github.com/aliasrobotics/RVD/issues/1463",
        "reproducibility": "N/A",
        "trace": "N/A",
        "reproduction": "N/A",
        "reproduction-image": "N/A"
    },
    "exploitation": {
        "description": "An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key",
        "exploitation-image": "N/A",
        "exploitation-vector": "N/A"
    },
    "mitigation": {
        "description": "sudo apt-get --assume-yes install --only-upgrade libssl1.0.0",
        "pull-request": "https://git.openssl.org/?p=openssl.git;a=commit;h=349a41da1ad88ad87825414752a8ff5fdd6a6c3f",
        "date-mitigation": null
    }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    robot component: Universal Robots Controllerrobot: UR10robot: UR3robot: UR5severity: medium4.0 - 6.9triageNeeds triagevendor: Universal Robotsvulnerability

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions