Bug 1366105 - (CVE-2016-6313) CVE-2016-6313 libgcrypt: PRNG output is predictable
CVE-2016-6313 libgcrypt: PRNG output is predictable
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160817,repor...
: Reopened, Security
Depends On: 1386491 1390852 1390853 1368041 1386488 1386489 1386490
Blocks: 1364841
  Show dependency treegraph
 
Reported: 2016-08-11 01:02 EDT by Huzaifa S. Sidhpurwala
Modified: 2016-12-13 06:36 EST (History)
14 users (show)

See Also:
Fixed In Version: libgcrypt 1.7.3, libgcrypt 1.6.6, libgcrypt 1.5.6, gnupg 1.4.21
Doc Type: Release Note
Doc Text:
A design flaw was found in the libgcrypt PRNG (Pseudo-Random Number Generator). An attacker able to obtain the first 580 bytes of the PRNG output could predict the following 20 bytes.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-08 01:51:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Huzaifa S. Sidhpurwala 2016-08-11 01:02:26 EDT
A design flaw was found in the libgcrypt PRNG (Pseudo-Random Number Generator). An attacker who can obtain the first 580 bytes of the PRNG output, can trivially predict the following 20 bytes.
Comment 1 Huzaifa S. Sidhpurwala 2016-08-12 01:28:44 EDT
Acknowledgements:

Name: Felix Dörre, Vladimir Klebanov
Comment 2 Adam Mariš 2016-08-18 03:56:07 EDT
External Reference:

https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
Comment 3 Adam Mariš 2016-08-18 03:57:01 EDT
Created libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1368041]
Comment 4 Adam Mariš 2016-08-18 03:59:15 EDT
Note that CVE-2016-6316 used in announcement is wrong, it should be CVE-2016-6313 as used in commit messages.
Comment 9 Huzaifa S. Sidhpurwala 2016-08-19 04:39:36 EDT
Analysis:

This is essentially a flaw in the way libgcrypt's PRNG works. The flaw exists in the mixing of the entropy pool, which reduces the entropy by atleast 20 bytes. 
libgcrypt  PRNG  is  modeled after a proposal by Guttmann with several notable differences. The weakness in the PRNG results in the fact that by taking the bytes [L-40, L-20)U[0,44] of the output and hashing them with the hash context chaining buffer set to bytes [L-40,L-20), an attacker can predict the bytes [L-20,L) 

Attack:

The attacker needs to obtain 4640 bits of data from the PRNG. There may be several ways for an attacker to do this for example entropy is heavily used when a GPG key pair is generated. However the paper states that after 4640 bits of data is read by the attacker, he can calculate the next consecutive 160 bits. Practically reading so much entropy directly from libgcrypt PRNG is very difficult to pull-off (For GPG key pair generation, several calculations needs to be done on the output of the PRNG before it can used as a key etc.)

So even though the attack is easy to conduct, its beyond the scope of practicality for any attacker (remote or even local).
Comment 13 Fedora Blocker Bugs Application 2016-08-22 17:30:50 EDT
Proposed as a Blocker and Freeze Exception for 25-alpha by Fedora user bcl using the blocker tracking app because:

 gnupg Fix critical security bug in the RNG [CVE-2016-6313] seems like a good enough reason to block/break freeze.
Comment 14 Adam Williamson 2016-08-22 17:37:00 EDT
meh, the discussion above makes it not seem terribly critical (i.e. practically exploitable). I guess I'd be OK for an FE if the change was small enough. It does not smell like a blocker to me, though.
Comment 16 Stephen Gallagher 2016-08-23 08:44:45 EDT
Based on the discussion in here, I'm -1 to blocking Alpha for this and -1 on a Freeze Exception. I don't have a clear picture of what might go wrong with this if we change it at this point. The patch looks fairly innocuous, but since it's a key part of pseudo-random number generation, I'm not going to pretend to know if it's a low risk to include it.

I'd rather we skip it for Alpha and get it into u-t for people to try out.
Comment 17 Tomas Mraz 2016-08-23 09:03:07 EDT
+1 to Stephen, this is not a critical bug - at most the impact is moderate.
Comment 18 Adam Williamson 2016-08-23 12:05:08 EDT
That's three -1 blocker votes, marking as RejectedBlocker.
Comment 19 Tomas Hoger 2016-08-23 12:21:05 EDT
(In reply to Adam Williamson from comment #18)
> That's three -1 blocker votes, marking as RejectedBlocker.

Please don't set that on bugs against Security Response product, there's Fedora bug 1368041 where that belongs.  Moving.
Comment 20 Adam Williamson 2016-08-23 12:31:37 EDT
sorry, that wasn't me, though; it was bcl who nominated it. I just followed the process from there.
Comment 21 Fedora Update System 2016-08-26 06:21:42 EDT
gnupg-1.4.21-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2016-08-27 06:23:40 EDT
libgcrypt-1.6.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2016-08-30 14:19:08 EDT
gnupg-1.4.21-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 24 Fedora Update System 2016-09-06 21:50:10 EDT
libgcrypt-1.6.6-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2016-09-13 21:20:51 EDT
gnupg-1.4.21-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 27 Yaakov Selkowitz 2016-09-22 16:44:50 EDT
Does mingw-libgcrypt also need an update?  The whiteboard doesn't mention it either way.
Comment 28 Tomas Mraz 2016-09-23 03:48:52 EDT
If the version is older than the versions mentioned in the Fixed in field, then yes.
Comment 29 Yaakov Selkowitz 2016-09-23 13:26:47 EDT
(In reply to Tomas Mraz from comment #28)
> If the version is older than the versions mentioned in the Fixed in field,
> then yes.

Both Fedora and EPEL7 mingw-libgcrypt are 1.6.3.
Comment 30 Tomas Mraz 2016-09-26 03:55:59 EDT
And that means it is vulnerable.
Comment 32 Yaakov Selkowitz 2016-11-01 15:02:50 EDT
(In reply to Tomas Mraz from comment #30)
> And that means it is vulnerable.

I still don't see mingw-libgcrypt bugs filed.
Comment 33 Huzaifa S. Sidhpurwala 2016-11-02 02:12:35 EDT
Created mingw-libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1390852]
Affects: epel-7 [bug 1390853]
Comment 34 errata-xmlrpc 2016-11-08 01:25:23 EST
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2016:2674 https://rhn.redhat.com/errata/RHSA-2016-2674.html

Note You need to log in before you can comment on or make changes to this bug.