Vulnerability Description
Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because scalar multiplication in ecp.cpp (prime field curves, small leakage) and algebra.cpp (binary field curves, large leakage) is not constant time and leaks the bit length of the scalar among other information.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cryptopp | Crypto\+\+ | <= 8.3.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00066.html
- http://www.openwall.com/lists/oss-security/2019/10/02/2
- https://eprint.iacr.org/2011/232.pdfExploitThird Party Advisory
- https://github.com/weidai11/cryptopp/issues/869PatchThird Party Advisory
- https://minerva.crocs.fi.muni.cz/
- https://tches.iacr.org/index.php/TCHES/article/view/7337Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00066.html
- http://www.openwall.com/lists/oss-security/2019/10/02/2
- https://eprint.iacr.org/2011/232.pdfExploitThird Party Advisory
- https://github.com/weidai11/cryptopp/issues/869PatchThird Party Advisory
- https://minerva.crocs.fi.muni.cz/
- https://tches.iacr.org/index.php/TCHES/article/view/7337Third Party Advisory
FAQ
What is CVE-2019-14318?
CVE-2019-14318 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Crypto++ 8.3.0 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or remote attacker, able to measure the duration of hundreds to thousands of signing operat...
How severe is CVE-2019-14318?
CVE-2019-14318 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-14318?
Check the references section above for vendor advisories and patch information. Affected products include: Cryptopp Crypto\+\+.