NVD Vulnerability Detail

CVE-2018-12433

Summary	cryptlib through 3.4.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on the same physical host. NOTE: the vendor does not include side-channel attacks within its threat model
Publication Date	June 15, 2018, 11:29 a.m.
Registration Date	March 1, 2021, 6:49 p.m.
Last Update	Nov. 21, 2024, 12:45 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:cryptlib:cryptlib::::::::			3.4.4

Related information, measures and tools

No	URL	refsource	タグ
1	https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/		Exploit Technical Description Third Party Advisory
2	https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/		Exploit Technical Description Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-200	情報漏えい	https://cwe.mitre.org/data/definitions/200.html
2	CWE-320	鍵管理のエラー	https://cwe.mitre.org/data/definitions/320.html

JVN Vulnerability Information

cryptlib における情報漏えいに関する脆弱性

Title	cryptlib における情報漏えいに関する脆弱性
Summary	未確定本件は、脆弱性として確定していません。 cryptlib には、情報漏えいに関する脆弱性、および鍵管理のエラーに関する脆弱性が存在します。ベンダは、本脆弱性に対して異議を唱えています。詳細については、以下の NVD の Current Description を確認してください。 https://nvd.nist.gov/vuln/detail/CVE-2018-12433
Possible impacts	情報を取得される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	June 13, 2018, midnight
Registration Date	Aug. 24, 2018, 11:09 a.m.
Last Update	Aug. 24, 2018, 11:09 a.m.

Affected System

OpenSSL Project

OpenSSL

Mozilla Foundation

Mozilla Network Security Services (NSS)

OpenBSD

LibreSSL

Google

BoringSSL

wolfSSL Inc.

wolfCrypt

Botan project

Botan

MatrixSSL project

MatrixSSL

Libtom

LibTomCrypt

The GnuPG Project

Libgcrypt

CryptLib

CryptLib 3.4.4 まで

libsunec project

LibSunEC

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2018-12433	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12433
National Vulnerability Database (NVD)
2	CVE-2018-12433	https://nvd.nist.gov/vuln/detail/CVE-2018-12433

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html
2	CWE-320	https://cwe.mitre.org/data/definitions/320.html

ベンダー情報

No	Name	URL
Botan
1	Top Page	https://botan.randombit.net/
cryptlib
2	cryptlib	https://www.cryptlib.com/
GitHub
3	libtomcrypt	https://github.com/libtom/libtomcrypt
4	MatrixSSL	https://github.com/matrixssl/matrixssl
GnuPG
5	Top Page	https://gnupg.org/
Google Git
6	BoringSSL	https://boringssl.googlesource.com/boringssl/
Mozilla Developer Network
7	Network Security Services	https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
OpenBSD
8	LibreSSL	https://www.libressl.org/
OpenSSL
9	Top Page	https://www.openssl.org/
wolfSSL
10	wolfCrypt	https://www.wolfssl.com/products/wolfcrypt/

その他

No	Name	URL
関連文書
1	Technical Advisory: "ROHNP"- Key Extraction Side Channel in Multiple Crypto Libraries	https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

Change Log

No	Changed Details	Date of change
1	[2018年08月23日] 掲載	Aug. 23, 2018, 1:58 p.m.