Bug 1970096 (CVE-2021-33560)

Summary: CVE-2021-33560 libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adsoni, caswilli, cfergeau, crypto-team, erik-fedora, fidencio, jjelen, kaycoth, marcandre.lureau, rh-spice-bugs, rjones, tm
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libgcrypt 1.8.8, libgcrypt 1.9.3 Doc Type: If docs needed, set a value
Doc Text:
A side-channel attack flaw was found in the way libgcrypt implemented Elgamal encryption. This flaw allows an attacker to decrypt parts of ciphertext encrypted using Elgamal, for example, when using OpenPGP. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 22:51:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976846, 1970097, 1970098, 1971420, 1971421, 1971422    
Bug Blocks: 1970100    

Description Guilherme de Almeida Suckevicz 2021-06-09 19:50:05 UTC 
Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.

References:
https://dev.gnupg.org/T5466
https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61
https://dev.gnupg.org/T5305
https://dev.gnupg.org/T5328
Comment 1 Guilherme de Almeida Suckevicz 2021-06-09 19:50:33 UTC 
Created libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1970098]


Created mingw-libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1970097]
Comment 2 Guilherme de Almeida Suckevicz 2021-06-09 19:50:37 UTC 
Created libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1970098]


Created mingw-libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1970097]
Comment 3 Jakub Jelen 2021-06-09 20:50:14 UTC 
I do not see the patch from description [1] in 1.8.8 tarball downloaded from upstream website when I tried to update Fedora 33 (last not having the 1.9.3 version).

[1] https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61
[2] https://gnupg.org/download/index.html
Comment 4 Huzaifa S. Sidhpurwala 2021-06-14 05:10:52 UTC 
Analysis:

This is a side-channel attack on ElGamal encryption in libgcrypt, essentially because it lacks exponent blinding against mpi_powm.
Comment 7 Huzaifa S. Sidhpurwala 2021-06-14 05:17:32 UTC 
Upstream patches:

https://dev.gnupg.org/rC632d80ef30e13de6926d503aa697f92b5dbfbc5e
https://dev.gnupg.org/rC707c3c5c511ee70ad0e39ec613471f665305fbea
https://dev.gnupg.org/rC3462280f2e23e16adf3ed5176e0f2413d8861320
Comment 13 errata-xmlrpc 2021-11-09 18:40:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4409 https://access.redhat.com/errata/RHSA-2021:4409
Comment 14 Product Security DevOps Team 2021-11-09 22:51:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33560