Bug 2002816 (CVE-2021-40528)

Summary: CVE-2021-40528 libgcrypt: ElGamal implementation allows plaintext recovery
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, caswilli, cfergeau, crypto-team, erik-fedora, fjansen, jjelen, kaycoth, marcandre.lureau, perobins, psegedy, rh-spice-bugs, rjones, ssorce, tcarlin, tcullum, tm, vkumar, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in libgcrypt's ElGamal implementation, where it allows plain text recovery. During the interaction between two cryptographic libraries, a certain combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP. The highest threat from this vulnerability is to confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-07-01 01:23:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2002818, 2002819, 2018524, 2018525, 2018526, 2019492    
Bug Blocks: 2002820    

Description Guilherme de Almeida Suckevicz 2021-09-09 19:17:52 UTC 
The ElGamal implementation in Libgcrypt before 1.9.4 allows plaintext recovery because, during interaction between two cryptographic libraries, a certain dangerous combination of the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents can lead to a cross-configuration attack against OpenPGP.

References:
https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
https://eprint.iacr.org/2021/923
Comment 1 Guilherme de Almeida Suckevicz 2021-09-09 19:18:14 UTC 
Created libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 2002818]


Created mingw-libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 2002819]
Comment 2 Jakub Jelen 2021-09-09 21:11:44 UTC 
Heya,
my reading of the paper in [1] suggests it is about CVE-2021-33560 which was already fixed in libgcrypt 1.8.8. The part 2 [2] discus the side channel attack, but references the same commit as a fix. Can you clarify what is here expected to be fixed in libgcrypt, when it has separate CVE number?

[1] https://ibm.github.io/system-security-research-updates/2021/07/20/insecurity-elgamal-pt1
[2] https://ibm.github.io/system-security-research-updates/2021/09/06/insecurity-elgamal-pt2
[3] https://github.com/gpg/libgcrypt/commit/632d80ef3
Comment 5 Jakub Jelen 2021-09-15 16:59:21 UTC 
Todd, I did not see any question in your last comment so I am removing the needinfo.

Just found out this CVE was discussed in the upstream issue handling this:

https://dev.gnupg.org/T5328#149606

They claim that this new CVE is about the side-channel attacks and upstream do not consider it as a vulnerability for various reasons.

But I would love if you could get some clarification of the CVE page. It is very unclear, not mentioning the fix, upstream issue, anything, just the 1.9.4 version [2]. The CVE-2021-33560 was fixed also in 1.8.8 and in 1.9.3 (which is not correct either -- it is mentioned in the NEWS, but the patch is only in 1.9.4) [3].

I will close the Fedora bug as all the updates are already in stable.

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40528
[2] https://dev.gnupg.org/source/libgcrypt/browse/master/NEWS;libgcrypt-1.9.4$6
[3] https://dev.gnupg.org/source/libgcrypt/browse/master/NEWS;libgcrypt-1.8.8$14
Comment 7 Todd Cullum 2021-10-29 18:31:47 UTC 
In reply to comment #5:
> Todd, I did not see any question in your last comment so I am removing the
> needinfo.
> 
> Just found out this CVE was discussed in the upstream issue handling this:
> 
> https://dev.gnupg.org/T5328#149606
> 
> They claim that this new CVE is about the side-channel attacks and upstream
> do not consider it as a vulnerability for various reasons.
> 
> But I would love if you could get some clarification of the CVE page. It is
> very unclear, not mentioning the fix, upstream issue, anything, just the
> 1.9.4 version [2]. The CVE-2021-33560 was fixed also in 1.8.8 and in 1.9.3
> (which is not correct either -- it is mentioned in the NEWS, but the patch
> is only in 1.9.4) [3].

I'd be happy to check, but I do not have a clear communication stream with upstream at the moment. If we can get ahold of gniibe, that would be helpful. I've tried to register for an account there but am in a moderator queue for approval.
Comment 24 errata-xmlrpc 2022-06-28 18:31:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5311 https://access.redhat.com/errata/RHSA-2022:5311
Comment 25 Product Security DevOps Team 2022-07-01 01:23:33 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-40528