CVE-2010-0928
ADVISORY - debianSummary
OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."
http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf https://github.com/openssl/openssl/discussions/24540 Fault injection based attacks are not within OpenSSLs threat model according to the security policy: https://www.openssl.org/policies/general/security-policy.html
Debian
-
CVSS SCORE
N/Alow| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| debian/openssl | deb | debian | 12 | >=3.0.11-1~deb12u2 | Not yet available |
| debian/openssl | deb | debian | 10 | >=1.1.1n-0+deb10u3 | Not yet available |
| debian/openssl | deb | debian | 11 | >=1.1.1w-0+deb11u1 | Not yet available |
| debian/openssl | deb | debian | unstable | >=3.2.2-1 | Not yet available |
| debian/openssl | deb | debian | 13 | >=3.2.1-3 | Not yet available |
Severity and metrics
No CVSS data available from this advisory.
NIST
1.9
CVSS SCORE
4mediumUbuntu
-
CVSS SCORE
N/AlowRed Hat
-
CVSS SCORE
N/AlowintheWild
-
-