New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/elliptic: CPU DoS vulnerability affecting P-521 and P-384 #29903

Closed
julieqiu opened this Issue Jan 23, 2019 · 7 comments

Comments

Projects
None yet
6 participants
@julieqiu
Copy link

julieqiu commented Jan 23, 2019

A DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.

These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.

This issue is CVE-2019-6486.

@gopherbot

This comment has been minimized.

Copy link

gopherbot commented Jan 23, 2019

Change https://golang.org/cl/159218 mentions this issue: crypto/elliptic: reduce subtraction term to prevent long busy loop

@mirtchovski

This comment has been minimized.

Copy link
Contributor

mirtchovski commented Jan 23, 2019

Can you elaborate on this, thank you:

"if an ECDH private key is reused more than once, the attack can also lead to key recovery."

@gopherbot gopherbot closed this in 193c16a Jan 23, 2019

evan2645 added a commit to evan2645/spire that referenced this issue Jan 23, 2019

Upgrade to go 1.11.5
In response to CVE-2019-6486

golang/go#29903

Signed-off-by: Evan Gilman <evan@scytale.io>

evan2645 added a commit to evan2645/spire that referenced this issue Jan 23, 2019

Upgrade to go 1.11.5
In response to CVE-2019-6486

golang/go#29903

Signed-off-by: Evan Gilman <evan@scytale.io>
@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Jan 24, 2019

Can you elaborate on this, thank you:

"if an ECDH private key is reused more than once, the attack can also lead to key recovery."

If ECDH is used in an Ephemeral-Static protocol, the attacker can use multiple tries to recover the static private key. crypto/tls does not reuse ECDH private keys, so is unaffected, but certain JWT encryption modes are based on ECDH-ES, so would be affected if the private key is a P-384 or P-521 key.

@cblecker cblecker referenced this issue Jan 24, 2019

Closed

Tracking issue: Update to go1.11.5 and 1.10.8 #73238

5 of 5 tasks complete
@pawanrawal

This comment has been minimized.

Copy link

pawanrawal commented Jan 24, 2019

Was this issue introduced with go v1.10? Should we be updating projects using versions below v1.10?

kopano-bot pushed a commit to Kopano-dev/libkcoidc that referenced this issue Jan 24, 2019

gentoo-bot pushed a commit to gentoo/gentoo that referenced this issue Jan 24, 2019

William Hubbs William Hubbs
dev-lang/go: 1.10.8 and 1.11.5 security bumps
This is going directly to stable on amd64.
Bug: golang/go#29903
Copyright: Sony Interactive Entertainment Inc.
Package-Manager: Portage-2.3.56, Repoman-2.3.12
RepoMan-Options: --force

Signed-off-by: William Hubbs <williamh@gentoo.org>

clrpackages pushed a commit to clearlinux-pkgs/go that referenced this issue Jan 24, 2019

Update to 1.11.5
Resolves CVE-2019-6486. See details at
golang/go#29903.

Signed-off-by: Patrick McCarty <patrick.mccarty@intel.com>
@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Jan 24, 2019

Was this issue introduced with go v1.10? Should we be updating projects using versions below v1.10?

No, this was introduced earlier, but we only support the last two Go releases.

@remyoudompheng

This comment has been minimized.

Copy link
Contributor

remyoudompheng commented Jan 24, 2019

Out of curiosity, why didn't we remove this "Add(P)" altogether ? Mod(P) is always called afterwards and the specification of big.Int.Mod says it will never return a negative number if P > 0.

@FiloSottile

This comment has been minimized.

Copy link
Member

FiloSottile commented Jan 24, 2019

@remyoudompheng Security patches aim to be as minimal as possible. A follow-up change will indeed significantly simplify that function.

mvladev added a commit to mvladev/gardener that referenced this issue Jan 25, 2019

mvladev added a commit to mvladev/gardener that referenced this issue Jan 25, 2019

mvladev added a commit to gardener/gardener-extensions that referenced this issue Jan 25, 2019

Update golang version to 1.11.5
**What this PR does / why we need it**:

> We have just released Go 1.11.5 and Go 1.10.8 to address a recently reported security issue. We recommend that all users update to one of these releases (if you’re not sure which, choose Go 1.11.5).
>
> This DoS vulnerability in the crypto/elliptic implementations of the P-521 and P-384 elliptic curves may let an attacker craft inputs that consume excessive amounts of CPU.
>
> These inputs might be delivered via TLS handshakes, X.509 certificates, JWT tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private key is reused more than once, the attack can also lead to key recovery.
>
> The issue is CVE-2019-6486 and Go issue golang/go#29903. See the Go issue for more details.

K8S issue kubernetes/kubernetes#73238

**Which issue(s) this PR fixes**:
n/a

**Special notes for your reviewer**:

**Release note**:
<!--  Write your release note:
1. Enter your release note in the below block.
2. If no release note is required, just write "NONE" within the block.

Format of block header: <category> <target_group>
Possible values:
- category:       improvement|noteworthy|action
- target_group:   user|operator
-->
```improvement operator
NONE
```

/cc @ThormaehlenFred

vcunat added a commit to allowthere/nixpkgs that referenced this issue Jan 27, 2019

go_1_9: mark as insecure (see the parent commit)
Upstream only supports two latest releases.
golang/go#29903 (comment)

russjones added a commit to gravitational/go that referenced this issue Jan 28, 2019

crypto/elliptic: reduce subtraction term to prevent long busy loop
If beta8 is unusually large, the addition loop might take a very long
time to bring x3-beta8 back positive.

This would lead to a DoS vulnerability in the implementation of the
P-521 and P-384 elliptic curves that may let an attacker craft inputs
to ScalarMult that consume excessive amounts of CPU.

This fixes CVE-2019-6486.

Fixes golang#29903

Change-Id: Ia969e8b5bf5ac4071a00722de9d5e4d856d8071a
Reviewed-on: https://team-review.git.corp.google.com/c/399777
Reviewed-by: Adam Langley <agl@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-on: https://go-review.googlesource.com/c/159218
Reviewed-by: Julie Qiu <julie@golang.org>

Mic92 added a commit to NixOS/nixpkgs that referenced this issue Jan 29, 2019

go_1_9: mark as insecure (see the parent commit)
Upstream only supports two latest releases.
golang/go#29903 (comment)

(cherry picked from commit a687ef9)

@alessio alessio referenced this issue Jan 31, 2019

Merged

R4R: Upgrade to go 1.11.5 #3464

1 of 5 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment