CVE-2016-7056 log

Source
Severity Medium
Remote No
Type Private key recovery
Description 
The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys.
Group Package Affected Fixed Severity Status Ticket
AVG-141 lib32-openssl 1.0.2.j-1 Medium Not affected
AVG-140 openssl 1.0.2.j-1 Medium Not affected
References 
https://eprint.iacr.org/2016/1195.pdf
https://git.openssl.org/?p=openssl.git;a=commit;h=f54be179aa4cbbd944728771d7d59ed588158a12
https://git.openssl.org/?p=openssl.git;a=commit;h=8aed2a7548362e88e84a7feb795a3a97e8395008
http://www.openwall.com/lists/oss-security/2017/01/12/10
Notes 
In order to exploit this flaw, the attacker needs to be have local (shell) access to the machine where the message is being signed using the ECDSA algorithm with a P-256 elliptic curve key. Then using cache timing attacks (which needs precise timing), on multiple signature runs, the private key could be obtained.