SB2018120612 - Ubuntu update for OpenSSL 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2018120612

SB2018120612 - Ubuntu update for OpenSSL

Published: December 6, 2018 Updated: December 10, 2018

Security Bulletin ID SB2018120612
Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2018-0734)

The vulnerability allows a local attacker to obtain potentially sensitive information.

The vulnerability exists due to unspecified flaw in Digital Signature Algorithm (DSA). A local attacker can conduct a timing side-channel attack and recover the private key, which could be used to conduct further attacks.


2) Information disclosure (CVE-ID: CVE-2018-0735)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to disclosure of the OpenSSL ECDSA signature algorithm. A remote attacker can use variations in the signing algorithm to conduct a timing side channel attack and recover the private key.


3) Side-channel attack (CVE-ID: CVE-2018-5407)

The vulnerability allows a physical attacker to obtain potentially sensitive information.

The vulnerability exists due to due to execution of engine sharing on SMT (e.g.Hyper-Threading) architectures when improper handling of information by the processor. A physical attacker can construct a timing side channel to hijack information from processes that are running in the same core.

Note: the vulnerability has been dubbed as PortSmash microarchitecture bug.


Remediation

Install update from vendor's website.

References