Vulnerability Details CVE-2015-8803
The ecc_256_modp function in ecc-256.c in Nettle before 3.2 does not properly handle carry propagation and produces incorrect output in its implementation of the P-256 NIST elliptic curve, which allows attackers to have unspecified impact via unknown vectors, a different vulnerability than CVE-2015-8805.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.099
EPSS Ranking 92.5%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176807.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177229.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177473.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00091.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00093.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00100.html
- http://rhn.redhat.com/errata/RHSA-2016-2582.html
- http://www.openwall.com/lists/oss-security/2016/02/02/2
- http://www.openwall.com/lists/oss-security/2016/02/03/1
- http://www.ubuntu.com/usn/USN-2897-1
- https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html
- https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
- https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html
- https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176807.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177229.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177473.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00091.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00093.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00100.html
- http://rhn.redhat.com/errata/RHSA-2016-2582.html
- http://www.openwall.com/lists/oss-security/2016/02/02/2
- http://www.openwall.com/lists/oss-security/2016/02/03/1
- http://www.ubuntu.com/usn/USN-2897-1
- https://blog.fuzzing-project.org/38-Miscomputations-of-elliptic-curve-scalar-multiplications-in-Nettle.html
- https://git.lysator.liu.se/nettle/nettle/commit/c71d2c9d20eeebb985e3872e4550137209e3ce4d
- https://lists.gnu.org/archive/html/info-gnu/2016-01/msg00006.html
- https://lists.lysator.liu.se/pipermail/nettle-bugs/2015/003028.html
Products affected by CVE-2015-8803
-
cpe:2.3:a:nettle_project:nettle:-
-
cpe:2.3:a:nettle_project:nettle:2.0
-
cpe:2.3:a:nettle_project:nettle:2.1
-
cpe:2.3:a:nettle_project:nettle:2.2
-
cpe:2.3:a:nettle_project:nettle:2.3
-
cpe:2.3:a:nettle_project:nettle:2.4
-
cpe:2.3:a:nettle_project:nettle:2.5
-
cpe:2.3:a:nettle_project:nettle:2.6
-
cpe:2.3:a:nettle_project:nettle:2.7
-
cpe:2.3:a:nettle_project:nettle:3.0
-
cpe:2.3:a:nettle_project:nettle:3.1
-
cpe:2.3:a:nettle_project:nettle:3.1.1
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:15.10
-
cpe:2.3:o:opensuse:leap:42.1
-
cpe:2.3:o:opensuse:opensuse:13.1
-
cpe:2.3:o:opensuse:opensuse:13.2