From 67024f3f29c64f8d7936aa38199d7ed0ea7fe4d1 Mon Sep 17 00:00:00 2001 From: Jun Kuriyama Date: Wed, 18 Dec 2013 15:22:59 +0000 Subject: [PATCH] Add about gnupg-1.4.16. --- security/vuxml/vuln.xml | 45 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 14761443e7bc..e5413c1757f2 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,51 @@ Note: Please add new entries to the beginning of this file. --> + + gnupg -- RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis attack + + + gnupg + 1.4.16 + + + + +

Werner Koch reports:

+
+

CVE-2013-4576 has been assigned to this security bug.

+ +

The paper describes two attacks. The first attack allows +to distinguish keys: An attacker is able to notice which key is +currently used for decryption. This is in general not a problem but +may be used to reveal the information that a message, encrypted to a +commonly not used key, has been received by the targeted machine. We +do not have a software solution to mitigate this attack.

+ +

The second attack is more serious. It is an adaptive +chosen ciphertext attack to reveal the private key. A possible +scenario is that the attacker places a sensor (for example a standard +smartphone) in the vicinity of the targeted machine. That machine is +assumed to do unattended RSA decryption of received mails, for example +by using a mail client which speeds up browsing by opportunistically +decrypting mails expected to be read soon. While listening to the +acoustic emanations of the targeted machine, the smartphone will send +new encrypted messages to that machine and re-construct the private +key bit by bit. A 4096 bit RSA key used on a laptop can be revealed +within an hour.

+
+ + + + CVE-2013-4576 + http://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html + + + 2013-12-18 + 2013-12-18 + + + asterisk -- multiple vulnerabilities