SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   GnuPG (Gnu Privacy Guard) Vendors:   Gnupg.org
GnuPG Flaw in Random Number Generator Mixing Functions Lets Users Predict Some Output
SecurityTracker Alert ID:  1036635
SecurityTracker URL:  http://securitytracker.com/id/1036635
CVE Reference:   CVE-2016-6313   (Links to External Site)
Updated:  Aug 17 2016
Original Entry Date:  Aug 17 2016
Impact:   Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.4.21
Description:   A vulnerability was reported in GnuPG. A local user can predict some random number generator output in certain cases.

A user that can obtain 4640 bits from the random number generator can exploit a flaw in the mixing functions to predict the next 160 bits of output. This may cause the system to generate weaker keys than intended in certain cases.

Libgcrypt is also affected. The impact depends on the application using libgcrypt.

[Editor's note: The vendor indicates that RSA keys generated in GPG are not adversely affected, based on initial analysis.

Felix Dorre and Vladimir Klebanov from the Karlsruhe Institute of Technology reported this vulnerability.

Impact:   A user with access to some of the random number generator (RNG) output can predict some of the subsequent RNG output.
Solution:   The vendor has issued a fix (1.4.21; Libgcrypt 1.5.6, 1.6.6, 1.7.3).

The vendor advisory is available at:

https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html

Vendor URL:  gnupg.org/ (Links to External Site)
Cause:   Randomization error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 19 2016 (Ubuntu Issues Fix) GnuPG Flaw in Random Number Generator Mixing Functions Lets Users Predict Some Output
Ubuntu has issued a fix for Ubuntu Linux 12.04 LTS, 14.04 LTS, and 16.04 LTS.
Nov 8 2016 (Red Hat Issues Fix) GnuPG Flaw in Random Number Generator Mixing Functions Lets Users Predict Some Output
Red Hat has issued a fix for Red Hat Enterprise Linux 6 and 7.
Nov 8 2016 (Oracle Issues Fix for Oracle Linux) GnuPG Flaw in Random Number Generator Mixing Functions Lets Users Predict Some Output
Oracle has issued a fix for Oracle Linux 6.
Jan 26 2017 (IBM Issues Fix for IBM Security Network Protection) GnuPG Flaw in Random Number Generator Mixing Functions Lets Users Predict Some Output
IBM has issued a fix for IBM Security Network Protection.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC