Executive Summary

Summary
Title gnupg security update
Informations
Name RHSA-2014:0016 First vendor Publication 2014-01-08
Vendor RedHat Last vendor Modification 2014-01-08
Severity (Vendor) Moderate Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 2.1 Attack Range Local
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An updated gnupg package that fixes one security issue is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64

3. Description:

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard.

It was found that GnuPG was vulnerable to side-channel attacks via acoustic cryptanalysis. An attacker in close range to a target system that is decrypting ciphertexts could possibly use this flaw to recover the RSA secret key from that system. (CVE-2013-4576)

Red Hat would like to thank Werner Koch of GnuPG upstream for reporting this issue. Upstream acknowledges Genkin, Shamir, and Tromer as the original reporters.

All gnupg users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1043327 - CVE-2013-4576 gnupg: RSA secret key recovery via acoustic cryptanalysis

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2014-0016.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-255 Credentials Management

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20478
 
Oval ID: oval:org.mitre.oval:def:20478
Title: USN-2059-1 -- gnupg vulnerability
Description: GnuPG could expose sensitive information when performing decryption.
Family: unix Class: patch
Reference(s): USN-2059-1
CVE-2013-4576
Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): gnupg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20781
 
Oval ID: oval:org.mitre.oval:def:20781
Title: DSA-2821-1 gnupg - side channel attack
Description: Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen cipher texts.
Family: unix Class: patch
Reference(s): DSA-2821-1
CVE-2013-4576
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): gnupg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21251
 
Oval ID: oval:org.mitre.oval:def:21251
Title: RHSA-2014:0016: gnupg security update (Moderate)
Description: GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.
Family: unix Class: patch
Reference(s): RHSA-2014:0016-00
CESA-2014:0016
CVE-2013-4576
Version: 6
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): gnupg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23305
 
Oval ID: oval:org.mitre.oval:def:23305
Title: ELSA-2014:0016: gnupg security update (Moderate)
Description: GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.
Family: unix Class: patch
Reference(s): ELSA-2014:0016-00
CVE-2013-4576
Version: 6
Platform(s): Oracle Linux 5
Product(s): gnupg
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26715
 
Oval ID: oval:org.mitre.oval:def:26715
Title: DEPRECATED: ELSA-2014-0016 -- gnupg security update (moderate)
Description: [1.4.5-18.1] - fix CVE-2013-4576 acoustic side channel attack on RSA private keys
Family: unix Class: patch
Reference(s): ELSA-2014-0016
CVE-2013-4576
Version: 4
Platform(s): Oracle Linux 5
Product(s): gnupg
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 76

Nessus® Vulnerability Scanner

Date Description
2015-08-05 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-577.nasl - Type : ACT_GATHER_INFO
2014-02-05 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-278.nasl - Type : ACT_GATHER_INFO
2014-01-10 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140108_gnupg_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-01-09 Name : The remote CentOS host is missing a security update.
File : centos_RHSA-2014-0016.nasl - Type : ACT_GATHER_INFO
2014-01-09 Name : The remote Oracle Linux host is missing a security update.
File : oraclelinux_ELSA-2014-0016.nasl - Type : ACT_GATHER_INFO
2014-01-09 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0016.nasl - Type : ACT_GATHER_INFO
2013-12-30 Name : The remote Fedora host is missing a security update.
File : fedora_2013-23615.nasl - Type : ACT_GATHER_INFO
2013-12-30 Name : The remote Fedora host is missing a security update.
File : fedora_2013-23678.nasl - Type : ACT_GATHER_INFO
2013-12-23 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2013-354-01.nasl - Type : ACT_GATHER_INFO
2013-12-23 Name : The remote Fedora host is missing a security update.
File : fedora_2013-23603.nasl - Type : ACT_GATHER_INFO
2013-12-20 Name : The remote Mandriva Linux host is missing a security update.
File : mandriva_MDVSA-2013-295.nasl - Type : ACT_GATHER_INFO
2013-12-19 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2821.nasl - Type : ACT_GATHER_INFO
2013-12-19 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_2e5715f867f711e39811b499baab0cbe.nasl - Type : ACT_GATHER_INFO
2013-12-19 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2059-1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 11:57:44
  • Multiple Updates
2014-01-08 21:19:38
  • First insertion