CVE-2013-4576
GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.
Published at
2013-12-20T21:55Z
3871 days ago
Modified
2017-08-29T01:33Z
2524 days ago
CWE-255
Problem type
References
URL | Type |
---|---|
[oss-security] 20131218 Re: GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576) http://seclists.org/oss-sec/2013/q4/523 | MLIST |
[gnupg-devel] 20131218 [Announce] [security fix] GnuPG 1.4.16 released http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html | MLIST |
www.tau.ac.il http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf | MISC |
1029513 http://www.securitytracker.com/id/1029513 | SECTRACK |
64424 http://www.securityfocus.com/bid/64424 | BID |
[oss-security] 20131218 GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576) http://seclists.org/oss-sec/2013/q4/520 | MLIST |
www.cs.tau.ac.il http://www.cs.tau.ac.il/~tromer/acoustic/ | MISC |
101170 http://osvdb.org/101170 | OSVDB |
DSA-2821 http://www.debian.org/security/2013/dsa-2821 | DEBIAN |
USN-2059-1 http://www.ubuntu.com/usn/USN-2059-1 | UBUNTU |
RHSA-2014:0016 http://rhn.redhat.com/errata/RHSA-2014-0016.html | REDHAT |
gunpg-cve20134576-info-disclosure(89846) https://exchange.xforce.ibmcloud.com/vulnerabilities/89846 | XF |
GET https://vulnerabilitydata.com/api/details/CVE-2013-4576
{ "id": "CVE-2013-4576", "published_date": "2013-12-20T21:55Z", "last_modified_date": "2017-08-29T01:33Z", "assigner": "secalert@redhat.com", "description": "GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.", "references": [ { "url": "http://seclists.org/oss-sec/2013/q4/523", "name": "[oss-security] 20131218 Re: GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576)", "refsource": "MLIST", "tags": [] }, { "url": "http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html", "name": "[gnupg-devel] 20131218 [Announce] [security fix] GnuPG 1.4.16 released", "refsource": "MLIST", "tags": [ "Patch", "Vendor Advisory" ] }, { "url": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf", "name": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf", "refsource": "MISC", "tags": [] }, { "url": "http://www.securitytracker.com/id/1029513", "name": "1029513", "refsource": "SECTRACK", "tags": [] }, { "url": "http://www.securityfocus.com/bid/64424", "name": "64424", "refsource": "BID", "tags": [] }, { "url": "http://seclists.org/oss-sec/2013/q4/520", "name": "[oss-security] 20131218 GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576)", "refsource": "MLIST", "tags": [] }, { "url": "http://www.cs.tau.ac.il/~tromer/acoustic/", "name": "http://www.cs.tau.ac.il/~tromer/acoustic/", "refsource": "MISC", "tags": [] }, { "url": "http://osvdb.org/101170", "name": "101170", "refsource": "OSVDB", "tags": [] }, { "url": "http://www.debian.org/security/2013/dsa-2821", "name": "DSA-2821", "refsource": "DEBIAN", "tags": [] }, { "url": "http://www.ubuntu.com/usn/USN-2059-1", "name": "USN-2059-1", "refsource": "UBUNTU", "tags": [] }, { "url": "http://rhn.redhat.com/errata/RHSA-2014-0016.html", "name": "RHSA-2014:0016", "refsource": "REDHAT", "tags": [] }, { "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89846", "name": "gunpg-cve20134576-info-disclosure(89846)", "refsource": "XF", "tags": [] } ], "impact": { "baseMetricV2": { "cvssV2": { "version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1 }, "severity": "LOW", "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } }, "problem_type": "CWE-255" }