U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CVE-2024-13176 Detail

Description

Issue summary: A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low.


Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:

NIST CVSS score
NIST: NVD
N/A
NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource
http://www.openwall.com/lists/oss-security/2025/01/20/2
https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844
https://github.com/openssl/openssl/commit/2af62e74fb59bc469506bc37eb2990ea408d9467
https://github.com/openssl/openssl/commit/392dcb336405a0c94486aa6655057f59fd3a0902
https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65
https://github.com/openssl/openssl/commit/77c608f4c8857e63e98e66444e2e761c9627916f
https://github.openssl.org/openssl/extended-releases/commit/0d5fd1ab987f7571e2c955d8d8b638fc0fb54ded
https://github.openssl.org/openssl/extended-releases/commit/a2639000db19878d5d89586ae7b725080592ae86
https://openssl-library.org/news/secadv/20250120.txt
https://security.netapp.com/advisory/ntap-20250124-0005/

Weakness Enumeration

CWE-ID CWE Name Source
CWE-385 Covert Timing Channel OpenSSL Software Foundation  

Change History

4 change records found show changes

Quick Info

CVE Dictionary Entry:
CVE-2024-13176
NVD Published Date:
01/20/2025
NVD Last Modified:
01/27/2025
Source:
OpenSSL Software Foundation