| id: GO-2021-0160 |
| modules: |
| - module: std |
| versions: |
| - introduced: 1.5.0-0 |
| fixed: 1.5.3 |
| vulnerable_at: 1.5.2 |
| packages: |
| - package: math/big |
| symbols: |
| - nat.expNNMontgomery |
| - nat.montgomery |
| skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)' |
| summary: Incorrect calculation affecting RSA computations in math/big |
| description: |- |
| Int.Exp Montgomery mishandled carry propagation and produced an incorrect |
| output, which makes it easier for attackers to obtain private RSA keys via |
| unspecified vectors. |
| |
| This issue can affect RSA computations in crypto/rsa, which is used by |
| crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private |
| key due to this issue. Other protocol implementations that create many RSA |
| signatures could also be impacted in the same way. |
| |
| Specifically, incorrect results in one part of the RSA Chinese Remainder |
| computation can cause the result to be incorrect in such a way that it leaks one |
| of the primes. While RSA blinding should prevent an attacker from crafting |
| specific inputs that trigger the bug, on 32-bit systems the bug can be expected |
| to occur at random around one in 2^26 times. Thus collecting around 64 million |
| signatures (of known data) from an affected server should be enough to extract |
| the private key used. |
| |
| Note that on 64-bit systems, the frequency of the bug is so low (less than one |
| in 2^50) that it would be very difficult to exploit. |
| published: 2022-01-05T15:31:16Z |
| cves: |
| - CVE-2015-8618 |
| credits: |
| - Nick Craig-Wood |
| references: |
| - fix: https://go.dev/cl/18491 |
| - fix: https://go.googlesource.com/go/+/1e066cad1ba23f4064545355b8737e4762dd6838 |
| - fix: https://go.googlesource.com/go/+/4306352182bf94f86f0cfc6a8b0ed461cbf1d82c |
| - fix: https://go.dev/cl/17672 |
| - report: https://go.dev/issue/13515 |
| - web: https://groups.google.com/g/golang-announce/c/MEATuOi_ei4 |
| review_status: REVIEWED |