CVE-2018-20187

NameCVE-2018-20187
DescriptionA side-channel issue was discovered in Botan before 2.9.0. An attacker capable of precisely measuring the time taken for ECC key generation may be able to derive information about the high bits of the secret key, as the function to derive the public point from the secret scalar uses an unblinded Montgomery ladder whose loop iteration count depends on the bitlength of the secret. This issue affects only key generation, not ECDSA signatures or ECDH key agreement.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs918732

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
botan (PTS)buster, sid2.9.0-2fixed
botan1.10 (PTS)jessie, jessie (security)1.10.8-2+deb8u2fixed
stretch1.10.16-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
botansource(unstable)2.9.0-2medium918732
botansourceexperimental2.9.0-1medium
botan1.10source(unstable)(not affected)

Notes

- botan1.10 <not-affected> (Vulnerable code introduced in 1.11.20)
https://github.com/randombit/botan/pull/1792
https://github.com/randombit/botan/commit/70aa7303acfff9eefc24598c289a84db3579ebd1

Search for package or bug name: Reporting problems