CVE-2015-8803
First published: Tue Feb 23 2016(Updated: )
The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8805.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nettle | <=3.1.1 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.10 | |
| SUSE Linux | =42.1 | |
| SUSE Linux | =13.1 | |
| SUSE Linux | =13.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176807.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177229.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177473.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00091.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00093.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00100.html
- http://rhn.redhat.com/errata/RHSA-2016-2582.html
- http://www.openwall.com/lists/oss-security/2016/02/02/2
- http://www.openwall.com/lists/oss-security/2016/02/03/1
- http://www.ubuntu.com/usn/USN-2897-1
- https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html
- https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
- https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html
- https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
Frequently Asked Questions
What is the severity of CVE-2015-8803?
CVE-2015-8803 is considered a high severity vulnerability due to the potential for improper output in cryptographic computations.
How do I fix CVE-2015-8803?
To fix CVE-2015-8803, upgrade Nettle to version 3.2 or later.
Which software versions are affected by CVE-2015-8803?
CVE-2015-8803 affects Nettle versions prior to 3.2, as well as specific versions of Ubuntu Linux and openSUSE.
What type of attack can CVE-2015-8803 facilitate?
CVE-2015-8803 can allow attackers to leverage incorrect cryptographic outputs to exploit unspecified vectors.
Is CVE-2015-8803 a local or remote vulnerability?
The nature of CVE-2015-8803 allows potential exploitation through local or remote vectors, depending on the attack scenario.
- agent/references
- agent/weakness
- agent/type
- agent/remedy
- agent/author
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/nettle project
- canonical/nettle
- version/nettle/3.1.1
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/15.10
- vendor/opensuse
- canonical/suse linux
- version/suse linux/42.1
- version/suse linux/13.1
- version/suse linux/13.2