CVE-2015-7940
Cryptographic Issue vulnerability in bcprov-jdk15 (Maven)
What is CVE-2015-7940 About?
The Bouncy Castle Java library before version 1.51 is vulnerable to an 'invalid curve attack' on its elliptic curve Diffie Hellman (ECDH) key exchanges. This flaw allows remote attackers to obtain private keys by supplying crafted invalid curves. Exploiting this requires a series of carefully orchestrated key exchanges, making it moderate to high complexity.
Affected Software
- org.bouncycastle:bcprov-jdk15
- <1.51
- org.bouncycastle:bcprov-jdk14
- <1.51
- org.bouncycastle:bcprov-jdk15on
- <1.51
Technical Details
The Bouncy Castle Java library, in versions prior to 1.51, fails to adequately validate that a point provided during an Elliptic Curve Diffie Hellman (ECDH) key exchange actually lies on the specified elliptic curve. This oversight makes the library susceptible to an 'invalid curve attack'. An attacker can initiate an ECDH key exchange and, during the process, transmit a public key corresponding to a point that is not on the expected curve, but rather on a specially chosen 'invalid' curve that has a small subgroup order. When the vulnerable Bouncy Castle implementation performs scalar multiplication with its private key and this invalid public point, the resulting point will still be on the invalid curve. By repeating this process with multiple carefully selected invalid points, an attacker can exploit the algebraic properties of these small-order curves to reveal bits of the victim's private key. This iterative process allows a remote attacker to eventually reconstruct the full private key.
What is the Impact of CVE-2015-7940?
Successful exploitation may allow attackers to recover the cryptographic private keys used in ECDH key exchanges, leading to the compromise of encrypted communications and data confidentiality.
What is the Exploitability of CVE-2015-7940?
Exploitation of this vulnerability requires an attacker to engage in a series of active ECDH key exchanges with the vulnerable target. The attack is complex, as it involves generating specific 'invalid curve' public keys and performing cryptographic calculations to derive the private key from multiple resulting ephemeral shared secrets. No authentication is typically required, as it targets the key exchange mechanism itself, often performed early in a protocol. The attack is remote. The primary risk factor is the active participation of the vulnerable system in ECDH key exchanges (e.g., TLS, secure messaging), presenting opportunities for an attacker to initiate the necessary interactions. This attack is often categorized as a 'chosen ciphertext' style attack in the context of key exchanges.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-7940?
Available Upgrade Options
- org.bouncycastle:bcprov-jdk14
- <1.51 → Upgrade to 1.51
- org.bouncycastle:bcprov-jdk15
- <1.51 → Upgrade to 1.51
- org.bouncycastle:bcprov-jdk15on
- <1.51 → Upgrade to 1.51
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- http://rhn.redhat.com/errata/RHSA-2016-2035.html
- https://github.com/advisories/GHSA-4mv7-cq75-3qjm
- http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html
- http://www.openwall.com/lists/oss-security/2015/10/22/9
- http://www.securitytracker.com/id/1037046
- http://www.securityfocus.com/bid/79091
- http://www.debian.org/security/2015/dsa-3417
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.securitytracker.com/id/1037053
What are Similar Vulnerabilities to CVE-2015-7940?
Similar Vulnerabilities: CVE-2016-1000342 , CVE-2016-1000352 , CVE-2015-1832 , CVE-2019-3462 , CVE-2019-12293
