First published: Fri Jun 15 2018(Updated: )
wolfcrypt/src/ecc.c in wolfSSL before 3.15.1.patch allows a memory-cache side-channel attack on ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover an ECDSA key, the attacker needs access to either the local machine or a different virtual machine on the same physical host.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
WolfSSL wolfssl | <3.15.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this issue is CVE-2018-12436.
The severity of CVE-2018-12436 is medium with a CVSS score of 4.7.
The affected software is Wolfssl Wolfssl version up to 3.15.3.
The vulnerability allows a memory-cache side-channel attack on ECDSA signatures, which could lead to the discovery of an ECDSA key.
Yes, wolfSSL has provided a patch to address this vulnerability. More information can be found at the following reference links: [Link 1](https://github.com/wolfSSL/wolfssl/commit/9b9568d500f31f964af26ba8d01e542e1f27e5ca), [Link 2](https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/), [Link 3](https://www.wolfssl.com/wolfssh-and-rohnp/).