OpenSSL Security Advisory [20th January 2025]
=============================================

Timing side-channel in ECDSA signature computation (CVE-2024-13176)
===================================================================

Severity: Low

Issue summary: A timing side-channel which could potentially allow recovering
the private key exists in the ECDSA signature computation.

Impact summary: A timing side-channel in ECDSA signature computations
could allow recovering the private key by an attacker. However, measuring
the timing would require either local access to the signing application or
a very fast network connection with low latency.

There is a timing signal of around 300 nanoseconds when the top word of
the inverted ECDSA nonce value is zero. This can happen with significant
probability only for some of the supported elliptic curves. In particular
the NIST P-521 curve is affected. To be able to measure this leak, the attacker
process must either be located in the same physical computer or must
have a very fast network connection with low latency. For that reason
the severity of this vulnerability is Low.

The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

OpenSSL 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

OpenSSL 3.4 users should upgrade to OpenSSL 3.4.1 once it is released.

OpenSSL 3.3 users should upgrade to OpenSSL 3.3.3 once it is released.

OpenSSL 3.2 users should upgrade to OpenSSL 3.2.4 once it is released.

OpenSSL 3.1 users should upgrade to OpenSSL 3.1.8 once it is released.

OpenSSL 3.0 users should upgrade to OpenSSL 3.0.16 once it is released.

OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1zb once it is released
(premium support customers only).

OpenSSL 1.0.2 users should upgrade to OpenSSL 1.0.2zl once it is released
(premium support customers only).

Due to the low severity of this issue we are not issuing new releases of
OpenSSL at this time. The fix will be included in the next release of each
branch, once it becomes available. The fix is also available in commit
77c608f4 (for 3.4), commit 392dcb33 (for 3.3), commit 4b1cb94 (for 3.2),
commit 2af62e74 (for 3.1) and commit 07272b05 (for 3.0) in the OpenSSL git
repository.

It is available to premium support customers in commit a2639000 (for 1.1.1) and in
commit 0d5fd1ab (for 1.0.2).

This issue was reported on 4th September 2024 by George Pantelakis and
Alicja Kario (Red Hat).
The fix was developed by Tomas Mraz.

General Advisory Notes
======================

URL for this Security Advisory:
https://openssl-library.org/news/secadv/20250120.txt

Note: the online version of the advisory may be updated with additional details
over time.

For details of OpenSSL severity classifications please see:
https://openssl-library.org/policies/general/security-policy/