CVE-2011-1945

LOW severity · CVSS 2.6 · CWE-310

2.6CVSS LOW

Summary

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges required—

User interaction—

Confidentiality impact—

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)5%

AV:N/AC:H/Au:N/C:P/I:N/A:N

Affected products we track (1)

OpenSSL

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://lists.apple.com/archives/security-announce/2013/Jun/msg00000.html
http://secunia.com/advisories/44935
http://support.apple.com/kb/HT5784
http://www.debian.org/security/2011/dsa-2309
http://www.kb.cert.org/vuls/id/536044
http://www.kb.cert.org/vuls/id/MAPG-8FENZ3
http://www.mandriva.com/security/advisories?name=MDVSA-2011:136
http://eprint.iacr.org/2011/232.pdfExploit