CVE-2019-14318

low-risk
Published 2019-07-30

Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information.

Do I need to act?

~
3.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Crypto\+\+

Affected Vendors

Cryptopp

References (12)

http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00066.html
http://www.openwall.com/lists/oss-security/2019/10/02/2
Exploit https://eprint.iacr.org/2011/232.pdf
Patch https://github.com/weidai11/cryptopp/issues/869
https://minerva.crocs.fi.muni.cz/
Third Party Advisory https://tches.iacr.org/index.php/TCHES/article/view/7337
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00066.html
http://www.openwall.com/lists/oss-security/2019/10/02/2
Exploit https://eprint.iacr.org/2011/232.pdf
Patch https://github.com/weidai11/cryptopp/issues/869
https://minerva.crocs.fi.muni.cz/
Third Party Advisory https://tches.iacr.org/index.php/TCHES/article/view/7337
29
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 6/34 · Minimal
Exposure 5/34 · Minimal