| module: std |
| package: math/big |
| versions: |
| - introduced: go1.5 |
| fixed: go1.5.3 |
| description: | |
| Int.Exp Montgomery mishandled carry propagation and produced an incorrect |
| output, which makes it easier for attackers to obtain private RSA keys via |
| unspecified vectors. |
| |
| This issue can affect RSA computations in crypto/rsa, which is used by |
| crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA |
| private key due to this issue. Other protocol implementations that create |
| many RSA signatures could also be impacted in the same way. |
| |
| Specifically, incorrect results in one part of the RSA Chinese Remainder |
| computation can cause the result to be incorrect in such a way that it leaks |
| one of the primes. While RSA blinding should prevent an attacker from crafting |
| specific inputs that trigger the bug, on 32-bit systems the bug can be expected |
| to occur at random around one in 2^26 times. Thus collecting around 64 million |
| signatures (of known data) from an affected server should be enough to extract |
| the private key used. |
| |
| Note that on 64-bit systems, the frequency of the bug is so low |
| (less than one in 2^50) that it would be very difficult to exploit. |
| cves: |
| - CVE-2015-8618 |
| credit: Nick Craig-Wood |
| symbols: |
| - nat.expNNMontgomery |
| - nat.montgomery |
| links: |
| pr: https://go.dev/cl/18491 |
| commit: https://go.googlesource.com/go/+/1e066cad1ba23f4064545355b8737e4762dd6838 |
| context: |
| - https://go.googlesource.com/go/+/4306352182bf94f86f0cfc6a8b0ed461cbf1d82c |
| - https://go.dev/cl/17672 |
| - https://go.dev/issue/13515 |
| - https://groups.google.com/g/golang-announce/c/MEATuOi_ei4 |