CVE-2019-13629: XSS
First published: Thu Oct 03 2019(Updated: )
MatrixSSL 4.2.1 and earlier contains a timing side channel in ECDSA signature generation. This allows a local or a remote attacker, able to measure the duration of hundreds to thousands of signing operations, to compute the private key used. The issue occurs because crypto/pubkey/ecc_math.c scalar multiplication leaks the bit length of the scalar.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Matrixssl Matrixssl | <=4.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2019-13629.
What is the severity of CVE-2019-13629?
The severity of CVE-2019-13629 is medium with a CVSS score of 5.9.
What is the affected software version of CVE-2019-13629?
The affected software version of CVE-2019-13629 is MatrixSSL 4.2.1 and earlier.
How does the timing side channel in ECDSA signature generation affect CVE-2019-13629?
The timing side channel in ECDSA signature generation allows an attacker to compute the private key used, if they can measure the duration of signing operations.
Are there any references related to CVE-2019-13629?
Yes, there are references related to CVE-2019-13629. They can be found at the following links: http://www.openwall.com/lists/oss-security/2019/10/02/2, https://eprint.iacr.org/2011/232.pdf, https://minerva.crocs.fi.muni.cz/
- collector/nvd-index
- agent/weakness
- agent/references
- agent/author
- agent/severity
- agent/description
- agent/type
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/matrixssl
- canonical/matrixssl matrixssl
- version/matrixssl matrixssl/4.2.1