The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of RSA: private key computation via CRT

Synthesis of the vulnerability 

An attacker can exchange with an application not implementing the RSA-CRT protection, in order to progressively guess the private key.
Impacted software: FortiGate, FortiGate Virtual Appliance, FortiOS, Java OpenJDK, openSUSE, Java Oracle, JavaFX, SSL protocol, Unix (platform) ~ not comprehensive.
Severity of this computer vulnerability: 2/4.
Creation date: 08/09/2015.
Références of this announce: cpuapr2015, CVE-2015-5738, openSUSE-SU-2015:1596-1, RSA-CRT, VIGILANCE-VUL-17836.

Description of the vulnerability 

An implementation of the RSA algorithm can use the CRT (Chinese Remainder Theorem) optimization, so computations are faster. However, the RSA-CRT signature is affected by a side-channel attack, known since 1996 (Arjen Lenstra). OpenSSL and NSS are for example protected.

The GnuPG software is protected, but the Libgcrypt library is not. An attacker can therefore exchange with an application linked to Libgcrypt, to trigger a series of error and attack RSA-CRT, in order to progressively guess the private key.

The TLS protocol can use the Perfect Forward Secrecy. In this case, a RSA signature is used. However, several implementations, such as OpenJDK or JRE, do not have the RSA-CRT protection. An attacker can therefore exchange with a TLS server with the Perfect Forward Secrecy enabled, to trigger a series of error and attack RSA-CRT, in order to progressively guess the private key.

An attacker can therefore exchange with an application not implementing the RSA-CRT protection, in order to progressively guess the private key.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness impacts software or systems such as FortiGate, FortiGate Virtual Appliance, FortiOS, Java OpenJDK, openSUSE, Java Oracle, JavaFX, SSL protocol, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this vulnerability announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this threat bulletin.

Solutions for this threat 

Oracle Java, OpenJDK: version 8u45.
The version 8u45 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java, OpenJDK: version 7u80.
The version 7u80 is fixed:
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

Oracle Java, OpenJDK: version 6u95.
The version 6u95 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html

Oracle Java, OpenJDK: version 5.0u85.
The version 5.0u85 is fixed:
  http://www.oracle.com/technetwork/indexes/downloads/index.html
  http://www.oracle.com/technetwork/java/javase/documentation/overview-137139.html

Libgcrypt: version 1.6.4.
The version 1.6.4 is fixed:
  ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.6.4.tar.bz2

Libgcrypt: patch for RSA-CRT.
A patch is indicated in information sources.

FortiOS: versions 5.0.13, 5.2.6 and 5.4.0.
Versions 5.0.13, 5.2.6 and 5.4.0 are fixed:
  http://fortiguard.com/

openSUSE: new libgcrypt packages.
New packages are available:
  openSUSE 13.1: libgcrypt 1.5.4-2.12.1
  openSUSE 13.2: libgcrypt 1.6.1-8.10.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides system vulnerability analysis. The Vigil@nce vulnerability database contains several thousand vulnerabilities.