vulnerability
FreeBSD: VID-7caebe30-d7f1-11e6-a9a5-b499baebfeaf (CVE-2016-7056): openssl -- timing attack vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 2 | (AV:L/AC:L/Au:N/C:P/I:N/A:N) | Jan 11, 2017 | Jan 12, 2017 | Dec 10, 2025 |
Severity
2
CVSS
(AV:L/AC:L/Au:N/C:P/I:N/A:N)
Published
Jan 11, 2017
Added
Jan 12, 2017
Modified
Dec 10, 2025
Description
Cesar Pereida Garcia reports: The signing function in crypto/ecdsa/ecdsa_ossl.c in certain OpenSSL versions and forks is vulnerable to timing attacks when signing with the standardized elliptic curve P-256 despite featuring constant-time curve operations and modular inversion. A software defect omits setting the BN_FLG_CONSTTIME flag for nonces, failing to take a secure code path in the BN_mod_inverse method and therefore resulting in a cache-timing attack vulnerability. A malicious user with local access can recover ECDSA P-256 private keys.
Solutions
freebsd-upgrade-package-opensslfreebsd-upgrade-package-libresslfreebsd-upgrade-package-libressl-devel
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.