Reset Search



KB26562 - OpenSSL leaks the ECDSA private key via a remote timing attack

« Go Back


Last Modified Date8/25/2015 8:48 AM

This article provides information about Juniper's possible vulnerability to the situation described in the following Vulnerability Note from the Software Engineering Institute (SEI) at Carnegie Mellon University:

Problem or Goal

A remote attacker can retrieve the private key of a TLS server that authenticates with ECDSA signatures and binary curves.


The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation.

For more information, see the following Common Vulnerabilities and Exposures (CVE) from the National Cyber Awareness System:

Among the Vulnerable software and versions listed there are OpenSSL "1.0.0d and previous versions."


Juniper IVE supports Elliptic Curves ciphers in release 7.4 and above, as described in the following article:

FAQ 8: What are the openssl versions used in vulnerable server and clients components?
Secure Access software versions 7.4R1 and 7.4R2 uses openssl version 1.0.1c and 7.4R3 and above uses openssl version 1.0.1e.
Secure Access software versions 8.0R1 to 8.0R3 uses openssl version 1.0.1e.

To avoid potential vulnerability, use IVE 7.4R3 or above when using the ECDHE_ECDSA cipher suite with ECC certificates.

Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255