Date: Sat, 16 Aug 2014 00:58:11 -0400 (EDT) From: cve-assign@...re.org To: mmcallis@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: libgcrypt, ELGAMAL side-channel attack -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > libgcrypt older than 1.6.0, and older than 1.5.4, are vulnerable to a > ELGAMAL side-channel attack: > > http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html As far as we can tell, you are probably asking for a CVE ID for the vulnerability with the "touching exposed metal on the computer's chassis" attack vector and the impact of determining Elgamal encryption subkeys. Use CVE-2014-5270. Some additional details, probably less relevant to most readers, are included below. > (This may be similar sort of issue to CVE-2013-4242.) We don't think it is especially similar. CVE-2013-4242 is about information leaks in the caching implementation of Intel x86 processors. The existing CVE that is related to the above 000352.html reference is CVE-2013-4576. More specifically, 000352.html is about the http://www.cs.tau.ac.il/~tromer/handsoff/ document. This document says "We have disclosed our attack to GnuPG developers under CVE-2013-4576, suggested suitable countermeasures, and worked with the developers to test them. New versions of GnuPG 1.x and of libgcrypt (which underlies GnuPG 2.x), containing these countermeasures and resistant to the key-extraction attack described here, were released concurrently with the first public posting of these results. GnuPG version 1.4.16 onwards, and libgcrypt 1.6.0 onwards, resist the key-extraction attack described here." The authors of this document may have intended for CVE-2013-4576 to apply to both the acoustic attack vector and the "exposed metal" attack vector. Also, note that the primary CVE-2013-4576 reference does mention "exposed metal" (first line of page 5). However, that reference does not demonstrate how to use "exposed metal" to exploit a vulnerability. Furthermore, http://www.cs.tau.ac.il/~tromer/handsoff/ says: Q5: What's new since your paper on acoustic cryptanalysis? New attack channels. The new channels discussed here are physically different than the acoustic channel, and result in different attack scenarios. Thus, we think it is best to have a separate CVE ID (CVE-2014-5270) for the new information about the use of "exposed metal" in practical vulnerability exploitation, and to maintain CVE-2013-4576 as bound solely to acoustic attacks. Please keep in mind, though, that the vector difference between CVE-2014-5270 and CVE-2013-4576 is based only on different science, not different software behavior. As far as we know, the acoustic attack and "exposed metal" attack are characterized by: - the same affected and unaffected versions of every product - the same underlying issue in the code - the same code fixes (e.g., ciphertext normalization and ciphertext randomization) Specifically, the primary CVE-2013-4576 reference says "New versions of GnuPG ... and libgcrypt, containing these countermeasures and resisting our current key-extraction attack, were released concurrently with this paper's first public posting." We think this means that Libgcrypt 1.6.0 had the CVE-2013-4576 fix, even though http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000336.html does not mention fixing an acoustic issue. Finally, about other vulnerabilities that are different from both CVE-2013-4576 and CVE-2014-5270: 1. Both the primary CVE-2013-4576 reference and the primary CVE-2014-5270 reference mention that RSA key distinguishability remains present in all software versions. The primary CVE-2014-5270 reference adds that "mitigating it in software, without a large overhead, remains an open problem." There is currently no CVE ID for this key-distinguishability issue. At least at present, the rationale is roughly that preventing key distinguishability is outside the scope of what the software offers. 2. The Description section of https://bugzilla.redhat.com/show_bug.cgi?id=1128531 refers to the above 000352.html but lists http://www.cs.unc.edu/~reiter/papers/2012/CCS.pdf as a reference. This CCS.pdf document seems to be completely unrelated to the acoustic and "exposed metal" issues. If anyone is interested in one or more CVE-2012-#### IDs for CCS.pdf, please specify what aspects of the paper are about vulnerabilities that belong in CVE, and whether you feel that each is a vulnerability in GnuPG or libgcrypt, or a vulnerability in Xen. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJT7uO3AAoJEKllVAevmvmsF0MH/iKQ8WojpaKy2JkvEiapm25P PSvrnfzEt3i4K0ZCnIdM2AQVE2wcdlN4lSofkBCPTDhKZgEFyQiXalpvKw8wZy4Q +do667tIYReuEvjzq9YGKt5n/6x6olAH8HAcu/Wla9eNxppTNpyIPE2W6iFyU3Ez 83yaRlLpFKCdEyfCIAYl/AjrYJw7vHZFpn0X6tWvZ/lnlAOamDknZslktm3qyxom HIhEB5g3Hsk85J5TfrylqSv2kZu7heVEs/CWrLiJlyUCXKql6M2VX9PcyPhZSVAl WGrYKC7Q1mfzsiqFBsFA1vRy/FDgGimriykL0WWn/TVwMNsFEA/rrHRNViV0o6A= =YPoP -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.