blob: dc81d08f2c375ab7034aa9c62a62f3b598b68611 [file] [log] [blame]
id: GO-2021-0160
modules:
- module: std
versions:
- introduced: 1.5.0-0
fixed: 1.5.3
vulnerable_at: 1.5.2
packages:
- package: math/big
symbols:
- nat.expNNMontgomery
- nat.montgomery
skip_fix: 'TODO: revisit this reason (fix appears to not work with Go <1.18)'
summary: Incorrect calculation affecting RSA computations in math/big
description: |-
Int.Exp Montgomery mishandled carry propagation and produced an incorrect
output, which makes it easier for attackers to obtain private RSA keys via
unspecified vectors.
This issue can affect RSA computations in crypto/rsa, which is used by
crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private
key due to this issue. Other protocol implementations that create many RSA
signatures could also be impacted in the same way.
Specifically, incorrect results in one part of the RSA Chinese Remainder
computation can cause the result to be incorrect in such a way that it leaks one
of the primes. While RSA blinding should prevent an attacker from crafting
specific inputs that trigger the bug, on 32-bit systems the bug can be expected
to occur at random around one in 2^26 times. Thus collecting around 64 million
signatures (of known data) from an affected server should be enough to extract
the private key used.
Note that on 64-bit systems, the frequency of the bug is so low (less than one
in 2^50) that it would be very difficult to exploit.
published: 2022-01-05T15:31:16Z
cves:
- CVE-2015-8618
credits:
- Nick Craig-Wood
references:
- fix: https://go.dev/cl/18491
- fix: https://go.googlesource.com/go/+/1e066cad1ba23f4064545355b8737e4762dd6838
- fix: https://go.googlesource.com/go/+/4306352182bf94f86f0cfc6a8b0ed461cbf1d82c
- fix: https://go.dev/cl/17672
- report: https://go.dev/issue/13515
- web: https://groups.google.com/g/golang-announce/c/MEATuOi_ei4