Bug 1970096 (CVE-2021-33560) - CVE-2021-33560 libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm
Summary: CVE-2021-33560 libgcrypt: mishandles ElGamal encryption because it lacks expo...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-33560
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1976846 1970097 1970098 1971420 1971421 1971422
Blocks: 1970100
TreeView+ depends on / blocked
 
Reported: 2021-06-09 19:50 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-04-17 21:26 UTC (History)
12 users (show)

Fixed In Version: libgcrypt 1.8.8, libgcrypt 1.9.3
Doc Type: If docs needed, set a value
Doc Text:
A side-channel attack flaw was found in the way libgcrypt implemented Elgamal encryption. This flaw allows an attacker to decrypt parts of ciphertext encrypted using Elgamal, for example, when using OpenPGP. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed: 2021-11-09 22:51:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:4409 0 None None None 2021-11-09 18:40:27 UTC

Description Guilherme de Almeida Suckevicz 2021-06-09 19:50:05 UTC 
Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.

References:
https://dev.gnupg.org/T5466
https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61
https://dev.gnupg.org/T5305
https://dev.gnupg.org/T5328
Comment 1 Guilherme de Almeida Suckevicz 2021-06-09 19:50:33 UTC 
Created libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1970098]


Created mingw-libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1970097]
Comment 2 Guilherme de Almeida Suckevicz 2021-06-09 19:50:37 UTC 
Created libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1970098]


Created mingw-libgcrypt tracking bugs for this issue:

Affects: fedora-all [bug 1970097]
Comment 3 Jakub Jelen 2021-06-09 20:50:14 UTC 
I do not see the patch from description [1] in 1.8.8 tarball downloaded from upstream website when I tried to update Fedora 33 (last not having the 1.9.3 version).

[1] https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61
[2] https://gnupg.org/download/index.html
Comment 4 Huzaifa S. Sidhpurwala 2021-06-14 05:10:52 UTC 
Analysis:

This is a side-channel attack on ElGamal encryption in libgcrypt, essentially because it lacks exponent blinding against mpi_powm.
Comment 7 Huzaifa S. Sidhpurwala 2021-06-14 05:17:32 UTC 
Upstream patches:

https://dev.gnupg.org/rC632d80ef30e13de6926d503aa697f92b5dbfbc5e
https://dev.gnupg.org/rC707c3c5c511ee70ad0e39ec613471f665305fbea
https://dev.gnupg.org/rC3462280f2e23e16adf3ed5176e0f2413d8861320
Comment 13 errata-xmlrpc 2021-11-09 18:40:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:4409 https://access.redhat.com/errata/RHSA-2021:4409
Comment 14 Product Security DevOps Team 2021-11-09 22:51:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-33560
Note You need to log in before you can comment on or make changes to this bug.