CVE-2017-3736

NameCVE-2017-3736
DescriptionThere is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4017-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssl (PTS)jessie1.0.1t-1+deb8u8fixed
jessie (security)1.0.1t-1+deb8u10fixed
stretch1.1.0f-3+deb9u2fixed
stretch (security)1.1.0j-1~deb9u1fixed
buster, sid1.1.1a-1fixed
openssl1.0 (PTS)stretch (security), stretch1.0.2l-2+deb9u3fixed
sid1.0.2q-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensslsource(unstable)1.1.0g-1medium
opensslsourcejessie(not affected)
opensslsourcestretch1.1.0f-3+deb9u1medium
opensslsourcewheezy(not affected)
openssl1.0source(unstable)1.0.2m-1medium
openssl1.0sourcestretch1.0.2l-2+deb9u1mediumDSA-4017-1

Notes

[jessie] - openssl <not-affected> (Vulnerable code not present)
[wheezy] - openssl <not-affected> (Vulnerable code not present)
https://www.openssl.org/news/secadv/20171102.txt
Fix for 1.0.2: https://git.openssl.org/?p=openssl.git;a=commit;h=38d600147331d36e74174ebbd4008b63188b321b
Fix for 1.1.0: https://git.openssl.org/?p=openssl.git;a=commit;h=4443cf7aa0099e5ce615c18cee249fff77fb0871

Search for package or bug name: Reporting problems