CVE-2019-1551

UNKNOWN

Published 2019-12-06T17:20:14.842234Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2019-1551. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t).

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

OpenSSL

Affected Versions:

Fixed in OpenSSL 1.1.1e (Affected 1.1.1-1.1.1d) Fixed in OpenSSL 1.0.2u (Affected 1.0.2-1.0.2t)

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-fcc6-m5v9-xcgq

Advisory Details

There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. Fixed in OpenSSL 1.1.1e-dev (Affected 1.1.1-1.1.1d). Fixed in OpenSSL 1.0.2u-dev (Affected 1.0.2-1.0.2t).

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-1551

WEB https://www.tenable.com/security/tns-2021-10

WEB https://www.tenable.com/security/tns-2020-11

WEB https://www.tenable.com/security/tns-2020-03

WEB https://www.tenable.com/security/tns-2019-09

WEB https://www.oracle.com/security-alerts/cpujul2020.html

WEB https://www.oracle.com/security-alerts/cpujan2021.html

WEB https://www.oracle.com/security-alerts/cpuApr2021.html

WEB https://www.openssl.org/news/secadv/20191206.txt

WEB https://www.debian.org/security/2021/dsa-4855

WEB https://www.debian.org/security/2019/dsa-4594

WEB https://usn.ubuntu.com/4504-1

WEB https://usn.ubuntu.com/4376-1

WEB https://security.netapp.com/advisory/ntap-20191210-0001

WEB https://security.gentoo.org/glsa/202004-10

WEB https://seclists.org/bugtraq/2019/Dec/46

WEB https://seclists.org/bugtraq/2019/Dec/39

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD

WEB https://lists.fedoraproject.org/archives/list/[email protected]/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD

WEB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY

WEB https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html

WEB https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=f1c5eea8a817075d31e43f5876993c6710238c98

WEB https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=419102400a2811582a7a3d4a4e317d72e5ce0a8f

WEB https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98

WEB https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f

WEB http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html

WEB http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html

Advisory provided by GitHub Security Advisory Database. Published: May 24, 2022, Modified: April 4, 2024

References

https://seclists.org/bugtraq/2019/Dec/39

https://www.debian.org/security/2019/dsa-4594

https://seclists.org/bugtraq/2019/Dec/46

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html

https://security.gentoo.org/glsa/202004-10

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XVEP3LAK4JSPRXFO4QF4GG2IVXADV3SO/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DDHOAATPWJCXRNFMJ2SASDBBNU5RJONY/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EXDDAOWSAIEFQNBHWYE6PPYFV4QXGMCD/

https://usn.ubuntu.com/4376-1/

https://www.oracle.com/security-alerts/cpujul2020.html

https://www.tenable.com/security/tns-2019-09

https://www.openssl.org/news/secadv/20191206.txt

https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=419102400a2811582a7a3d4a4e317d72e5ce0a8f

https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=f1c5eea8a817075d31e43f5876993c6710238c98

https://security.netapp.com/advisory/ntap-20191210-0001/

http://packetstormsecurity.com/files/155754/Slackware-Security-Advisory-openssl-Updates.html

https://www.tenable.com/security/tns-2020-03

https://usn.ubuntu.com/4504-1/

https://www.oracle.com/security-alerts/cpujan2021.html

https://www.tenable.com/security/tns-2020-11

https://www.debian.org/security/2021/dsa-4855

https://www.oracle.com/security-alerts/cpuApr2021.html

https://www.tenable.com/security/tns-2021-10

https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html

Published: 2019-12-06T17:20:14.842234Z

Last Modified: 2024-09-16T19:40:14.240Z

Copied to clipboard!

CVE-2019-1551

Expert Analysis

Description

Available Exploits

Related News

Affected Products

OpenSSL

Affected Versions:

GitHub Security Advisories

Advisory Details

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!