OpenSSL Timing Side-Channel Vulnerability in ECDSA Signature Computation

A timing side-channel vulnerability has been identified in the ECDSA signature computation of OpenSSL. This issue allows for the potential recovery of private keys. The vulnerability is present in OpenSSL versions 3.4, 3.3, 3.2, 3.1, 3.0, 1.1.1, and 1.0.2. The timing leak occurs when the top word of the inverted ECDSA nonce value is zero, which can happen with significant probability on certain elliptic curves, particularly the NIST P-521 curve. To exploit this vulnerability, an attacker must have local access to the signing application or a very fast, low-latency network connection.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of private keys, allowing attackers to compromise ECDSA signatures.

Reproduction

The vulnerability can be reproduced by measuring the timing of ECDSA signature operations. This can be done either by running a process on the same physical machine as the OpenSSL application or by using a fast, low-latency network connection to a remote application that performs ECDSA signing.

Remediation

Users of OpenSSL 3.4 should upgrade to version 3.4.1. Users of OpenSSL 3.3 should upgrade to version 3.3.3. Users of OpenSSL 3.2 should upgrade to version 3.2.4. Users of OpenSSL 3.1 should upgrade to version 3.1.8. Users of OpenSSL 3.0 should upgrade to version 3.0.16. Users of OpenSSL 1.1.1 should upgrade to version 1.1.1zb. Users of OpenSSL 1.0.2 should upgrade to version 1.0.2zl.