Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 16 Aug 2014 00:58:11 -0400 (EDT)
Subject: Re: CVE request: libgcrypt, ELGAMAL side-channel attack

Hash: SHA1

> libgcrypt older than 1.6.0, and older than 1.5.4, are vulnerable to a
> ELGAMAL side-channel attack:

As far as we can tell, you are probably asking for a CVE ID for the
vulnerability with the "touching exposed metal on the computer's
chassis" attack vector and the impact of determining Elgamal
encryption subkeys. Use CVE-2014-5270. Some additional details,
probably less relevant to most readers, are included below.

> (This may be similar sort of issue to CVE-2013-4242.)

We don't think it is especially similar. CVE-2013-4242 is about
information leaks in the caching implementation of Intel x86
processors. The existing CVE that is related to the above 000352.html
reference is CVE-2013-4576.

More specifically, 000352.html is about the document. This document says
"We have disclosed our attack to GnuPG developers under CVE-2013-4576,
suggested suitable countermeasures, and worked with the developers to
test them. New versions of GnuPG 1.x and of libgcrypt (which underlies
GnuPG 2.x), containing these countermeasures and resistant to the
key-extraction attack described here, were released concurrently with
the first public posting of these results. GnuPG version 1.4.16
onwards, and libgcrypt 1.6.0 onwards, resist the key-extraction attack
described here." The authors of this document may have intended for
CVE-2013-4576 to apply to both the acoustic attack vector and the
"exposed metal" attack vector. Also, note that the primary
CVE-2013-4576 reference does mention "exposed metal" (first line of
page 5). However, that reference does not demonstrate how to use
"exposed metal" to exploit a vulnerability. Furthermore, says:

  Q5: What's new since your paper on acoustic cryptanalysis?
  New attack channels. The new channels discussed here are physically
  different than the acoustic channel, and result in different attack

Thus, we think it is best to have a separate CVE ID (CVE-2014-5270)
for the new information about the use of "exposed metal" in practical
vulnerability exploitation, and to maintain CVE-2013-4576 as bound
solely to acoustic attacks. Please keep in mind, though, that the
vector difference between CVE-2014-5270 and CVE-2013-4576 is based
only on different science, not different software behavior. As far as
we know, the acoustic attack and "exposed metal" attack are
characterized by:

  - the same affected and unaffected versions of every product
  - the same underlying issue in the code
  - the same code fixes (e.g., ciphertext normalization and ciphertext

Specifically, the primary CVE-2013-4576 reference says "New versions
of GnuPG ... and libgcrypt, containing these countermeasures and
resisting our current key-extraction attack, were released
concurrently with this paper's first public posting." We think this
means that Libgcrypt 1.6.0 had the CVE-2013-4576 fix, even though
does not mention fixing an acoustic issue.

Finally, about other vulnerabilities that are different from both
CVE-2013-4576 and CVE-2014-5270:

1. Both the primary CVE-2013-4576 reference and the primary
CVE-2014-5270 reference mention that RSA key distinguishability
remains present in all software versions. The primary CVE-2014-5270
reference adds that "mitigating it in software, without a large
overhead, remains an open problem." There is currently no CVE ID for
this key-distinguishability issue. At least at present, the rationale
is roughly that preventing key distinguishability is outside the scope
of what the software offers.

2. The Description section of refers to the
above 000352.html but lists as a reference. This
CCS.pdf document seems to be completely unrelated to the acoustic and
"exposed metal" issues. If anyone is interested in one or more
CVE-2012-#### IDs for CCS.pdf, please specify what aspects of the
paper are about vulnerabilities that belong in CVE, and whether you
feel that each is a vulnerability in GnuPG or libgcrypt, or a
vulnerability in Xen.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.