CVE-2011-1945
Severity CVSS v4.0:
Pending analysis
Type:
CWE-310
Cryptographic Issues
Publication date:
31/05/2011
Last modified:
06/06/2013
Description
The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.
Impact
Base Score 2.0
2.60
Severity 2.0
LOW
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:* | 1.0.0d (including) | |
cpe:2.3:a:openssl:openssl:0.9.1c:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.2b:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.3:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.3a:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.4:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.5:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.5:beta1:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.5:beta2:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.5a:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.5a:beta1:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.5a:beta2:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.6:*:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.6:beta1:*:*:*:*:*:* | ||
cpe:2.3:a:openssl:openssl:0.9.6:beta2:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://eprint.iacr.org/2011/232.pdf
- http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
- http://secunia.com/advisories/44935
- http://support.apple.com/kb/HT5784
- http://www.debian.org/security/2011/dsa-2309
- http://www.kb.cert.org/vuls/id/536044
- http://www.kb.cert.org/vuls/id/MAPG-8FENZ3
- http://www.mandriva.com/security/advisories?name=MDVSA-2011%3A136
- http://www.mandriva.com/security/advisories?name=MDVSA-2011%3A137
- https://hermes.opensuse.org/messages/8760466
- https://hermes.opensuse.org/messages/8764170