Description
A bug in the standard library ScalarMult implementation of curve P-256 for amd64 architectures in Go before 1.7.6 and 1.8.x before 1.8.2 causes incorrect results to be generated for specific input points. An adaptive attack can be mounted to progressively extract the scalar input to ScalarMult by submitting crafted points and observing failures to the derive correct output. This leads to a full key recovery attack against static ECDH, as used in popular JWT libraries.
References (9)
Core 9
Core References
Vendor Advisory mailing-list
x_refsource_mlist
https://groups.google.com/d/msg/golang-announce/B5ww0iFt1_Q/TgUFJV14BgAJ
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/golang/go/commit/9294fa2749ffee7edbbb817a0ef9fe633136fa9c
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1859
Patch, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2017-06/msg00080.html
Patch, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2017-06/msg00079.html
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1455191
Third Party Advisory x_refsource_confirm
https://github.com/golang/go/issues/20040
Vendor Advisory x_refsource_confirm
https://go-review.googlesource.com/c/41070/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZH4T47ROLZ6YEZBDVXVS2KISTDMXAPS/
Scores
CVSS v3
5.9
EPSS
0.0222
EPSS Percentile
80.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-682
Status
published
Products (6)
fedoraproject/fedora
25
golang/go
1.8
golang/go
1.8.1
golang/go
< 1.7.5
novell/suse_package_hub_for_suse_linux_enterprise
12
opensuse/leap
42.2
Published
Jul 06, 2017
Tracked Since
Feb 18, 2026