#VU42223 Credentials management in GnuPG - CVE-2013-4576

Cybersecurity Help s.r.o.

Published: 2013-12-20 | Updated: 2020-08-10

Vulnerability identifier: #VU42223

Vulnerability risk: Low

CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-4576

CWE-ID: CWE-255

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
GnuPG
Client/Desktop applications / Encryption software

Vendor: GNU

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.

Mitigation
Install update from vendor's website.

Vulnerable software versions

GnuPG: 1.0.0 - 1.4.14

External links
https://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html
https://osvdb.org/101170
https://rhn.redhat.com/errata/RHSA-2014-0016.html
https://seclists.org/oss-sec/2013/q4/520
https://seclists.org/oss-sec/2013/q4/523
https://www.cs.tau.ac.il/~tromer/acoustic/
https://www.debian.org/security/2013/dsa-2821
https://www.securityfocus.com/bid/64424
https://www.securitytracker.com/id/1029513
https://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf
https://www.ubuntu.com/usn/USN-2059-1
https://exchange.xforce.ibmcloud.com/vulnerabilities/89846

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for libgcrypt

Amazon Linux AMI update for gnupg

Slackware Linux update for gnupg

Credentials management in GNU GnuPG