CVE-2016-7056

Published on: 09/10/2018 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:06 PM UTC

CVE-2016-7056

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Certain versions of Ubuntu Linux from Canonical contain the following vulnerability:

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

CVE-2016-7056 has been assigned by [email protected] to track the vulnerability - currently rated as MEDIUM severity.
Affected Vendor/Software: The OpenSSL Project - openssl version openssl 1.0.1u

CVSS3 Score: 5.5 - MEDIUM

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
LOCAL	LOW	LOW	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	NONE	NONE

CVSS2 Score: 2.1 - LOW

Access Vector^ⓘ	Access Complexity	Authentication
LOCAL	LOW	NONE
Confidentiality Impact	Integrity Impact	Availability Impact
PARTIAL	NONE	NONE

CVE References

Description	Tags ^ⓘ	Link
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2017:1413
	Patch Third Party Advisory ftp.openbsd.org text/x-diff	CONFIRM ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig
OpenSSL CVE-2016-7056 Local Information Disclosure Vulnerability	Third Party Advisory VDB Entry cve.report (archive) text/html	BID 95375
OpenSSL ecdsa_sign_setup() Timing Flaw Lets Local Users Recover Private Keys - SecurityTracker	Patch Third Party Advisory VDB Entry www.securitytracker.com text/html	SECTRACK 1037575
Debian -- Security Information -- DSA-3773-1 openssl	Third Party Advisory www.debian.org Depreciated Link text/html	DEBIAN DSA-3773
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2017:1801
oss-sec: CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)	Mailing List Third Party Advisory seclists.org text/html	MLIST [oss-security] 20170110 CVE-2016-7056 ECDSA P-256 timing attack key recovery (OpenSSL, LibreSSL, BoringSSL)
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2017:1414
git.openssl.org Git - openssl.git/commit	Patch Third Party Advisory git.openssl.org text/xml	CONFIRM git.openssl.org/?p=openssl.git;a=commit;h=8aed2a7548362e88e84a7feb795a3a97e8395008
Bug 1412120 – CVE-2016-7056 openssl: ECDSA P-256 timing attack key recovery	Issue Tracking Patch Third Party Advisory bugzilla.redhat.com text/html	CONFIRM bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7056
Red Hat Customer Portal	Third Party Advisory web.archive.org text/html Inactive LinkNot Archived	REDHAT RHSA-2017:1415
Cryptology ePrint Archive: Report 2016/1195	Third Party Advisory eprint.iacr.org text/html	MISC eprint.iacr.org/2016/1195
CVE-2016-7056	Patch Third Party Advisory VDB Entry security-tracker.debian.org text/html	CONFIRM security-tracker.debian.org/tracker/CVE-2016-7056
	Patch Third Party Advisory ftp.openbsd.org text/x-diff	CONFIRM ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig
Red Hat Customer Portal	Third Party Advisory access.redhat.com text/html	REDHAT RHSA-2017:1802
CVE-2016-7056 in Ubuntu	Patch Third Party Advisory people.canonical.com text/html	CONFIRM people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7056.html

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

There are currently no QIDs associated with this CVE

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Openssl	Openssl	All	All	All	All
Operating System	Redhat	Enterprise Linux	6.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	6.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*:
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*:
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*:
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*:
cpe:2.3:a:openssl:openssl:*:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*:
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE