GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.

GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption.
NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.

It was found that GnuPG was vulnerable to side-channel attacks via acoustic cryptanalysis. An attacker in close range to a target system that is decrypting ciphertexts could possibly use this flaw to recover the RSA secret key from that system. (CVE-2013-4576)

An updated gnupg package that fixes one security issue is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard.

It was found that GnuPG was vulnerable to side-channel attacks via acoustic cryptanalysis. An attacker in close range to a target system that is decrypting ciphertexts could possibly use this flaw to recover the RSA secret key from that system. (CVE-2013-4576)

Red Hat would like to thank Werner Koch of GnuPG upstream for reporting this issue. Upstream acknowledges Genkin, Shamir, and Tromer as the original reporters.

All gnupg users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

From Red Hat Security Advisory 2014:0016 :

An updated gnupg package that fixes one security issue is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The GNU Privacy Guard (GnuPG or GPG) is a tool for encrypting data and creating digital signatures, compliant with the proposed OpenPGP Internet standard and the S/MIME standard.

It was found that GnuPG was vulnerable to side-channel attacks via acoustic cryptanalysis. An attacker in close range to a target system that is decrypting ciphertexts could possibly use this flaw to recover the RSA secret key from that system. (CVE-2013-4576)

Red Hat would like to thank Werner Koch of GnuPG upstream for reporting this issue. Upstream acknowledges Genkin, Shamir, and Tromer as the original reporters.

All gnupg users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

What's New ===========

  - Fixed the RSA Key Extraction via Low-Bandwidth Acoustic     Cryptanalysis attack as described by Genkin, Shamir, and     Tromer. See     <http://www.cs.tau.ac.il/~tromer/acoustic/>.[CVE-2013-45     76]

  - Put only the major version number by default into     armored output.

  - Do not create a trustdb file if --trust-model=always is     used.

  - Print the keyid for key packets with --list-packets.

  - Changed modular exponentiation algorithm to recover from     a small performance loss due to a change in 1.4.14.

Impact of the security problem ==============================

CVE-2013-4576 has been assigned to this security bug.

The paper describes two attacks.The first attack allows to distinguish keys: An attacker is able to notice which key is currently used for decryption.This is in general not a problem but may be used to reveal the information that a message, encrypted to a commonly not used key, has been received by the targeted machine.We do not have a software solution to mitigate this attack.

The second attack is more serious. It is an adaptive chosen ciphertext attack to reveal the private key. A possible scenario is that the attacker places a sensor (for example a standard smartphone) in the vicinity of the targeted machine. That machine is assumed to do unattended RSA decryption of received mails, for example by using a mail client which speeds up browsing by opportunistically decrypting mails expected to be read soon.While listening to the acoustic emanations of the targeted machine, the smartphone will send new encrypted messages to that machine and re-construct the private key bit by bit.A 4096 bit RSA key used on a laptop can be revealed within an hour.

GnuPG 1.4.16 avoids this attack by employing RSA blinding during decryption.GnuPG 2.x and current Gpg4win versions make use of Libgcrypt which employs RSA blinding anyway and are thus not vulnerable.

For the highly interesting research on acoustic cryptanalysis and the details of the attack see http://www.cs.tau.ac.il/~tromer/acoustic/ .

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

New gnupg packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue.

A vulnerability has been discovered and corrected in gnupg :

Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts (CVE-2013-4576).

The updated packages have been patched to correct this issue.

Daniel Genkin, Adi Shamir, and Eran Tromer discovered that GnuPG was susceptible to an adaptive chosen ciphertext attack via acoustic emanations. A local attacker could use this attack to possibly recover private keys.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Werner Koch reports :

CVE-2013-4576 has been assigned to this security bug.

The paper describes two attacks. The first attack allows to distinguish keys: An attacker is able to notice which key is currently used for decryption. This is in general not a problem but may be used to reveal the information that a message, encrypted to a commonly not used key, has been received by the targeted machine. We do not have a software solution to mitigate this attack.

The second attack is more serious. It is an adaptive chosen ciphertext attack to reveal the private key. A possible scenario is that the attacker places a sensor (for example a standard smartphone) in the vicinity of the targeted machine. That machine is assumed to do unattended RSA decryption of received mails, for example by using a mail client which speeds up browsing by opportunistically decrypting mails expected to be read soon. While listening to the acoustic emanations of the targeted machine, the smartphone will send new encrypted messages to that machine and re-construct the private key bit by bit. A 4096 bit RSA key used on a laptop can be revealed within an hour.

Genkin, Shamir and Tromer discovered that RSA key material could be extracted by using the sound generated by the computer during the decryption of some chosen ciphertexts.

ID	Name	Product	Family	Severity
72296	Amazon Linux AMI : gnupg (ALAS-2014-278)	Nessus	Amazon Linux Local Security Checks	low
71893	Scientific Linux Security Update : gnupg on SL5.x i386/x86_64 (20140108)	Nessus	Scientific Linux Local Security Checks	low
71878	RHEL 5 : gnupg (RHSA-2014:0016)	Nessus	Red Hat Local Security Checks	low
71876	Oracle Linux 5 : gnupg (ELSA-2014-0016)	Nessus	Oracle Linux Local Security Checks	low
71866	CentOS 5 : gnupg (CESA-2014:0016)	Nessus	CentOS Local Security Checks	low
71766	Fedora 19 : gnupg-1.4.16-2.fc19 (2013-23615)	Nessus	Fedora Local Security Checks	low
71573	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : gnupg (SSA:2013-354-01)	Nessus	Slackware Local Security Checks	low
71554	Mandriva Linux Security Advisory : gnupg (MDVSA-2013:295)	Nessus	Mandriva Local Security Checks	low
71532	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 / 13.10 : gnupg vulnerability (USN-2059-1)	Nessus	Ubuntu Local Security Checks	low
71529	FreeBSD : gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack (2e5715f8-67f7-11e3-9811-b499baab0cbe)	Nessus	FreeBSD Local Security Checks	low
71526	Debian DSA-2821-1 : gnupg - side channel attack	Nessus	Debian Local Security Checks	low

Detections

Analytics

CVE-2013-4576

medium

Tenable Plugins

low

low

low

low

low

low

low

low

low

low

low