SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Libgcrypt Vendors:   Gnupg.org
Libgcrypt ECDSA Signature Calculation Timing Flaw Lets Local Users Obtain Private DSA Keys on the Target System
SecurityTracker Alert ID:  1041144
SecurityTracker URL:  http://securitytracker.com/id/1041144
CVE Reference:   CVE-2018-0495   (Links to External Site)
Date:  Jun 20 2018
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.8.3
Description:   A vulnerability was reported in Libgcrypt. A local user can obtain private keys in certain cases.

The code that performs modular addition in calculating ECDSA signatures does not run in constant time. A local user that can conduct memory-cache side-channel attacks against ECDSA signatures can recover the DSA private key.

This vulnerability is known as "The Return of the Hidden Number Problem" (ROHNP).

Other cryptographic libraries are affected.

[Editor's note: GnuPG uses Libgcrypt but does not use the affected ECDSA signatures in the default configuration.]

The original advisory is available at:

https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

Keegan Ryan of NCC Group reported this vulnerability.

Impact:   A local user can obtain DSA private keys on the target system.
Solution:   The vendor has issued a fix (1.7.10, 1.8.3).

The vendor advisory is available at:

https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html

Vendor URL:  gnupg.org/ (Links to External Site)
Cause:   State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 20 2018 (Ubuntu Issues Fix) Libgcrypt ECDSA Signature Calculation Timing Flaw Lets Local Users Obtain Private DSA Keys on the Target System
Ubuntu has issued a fix for Ubuntu Linux 12.04 ESM.
Jun 20 2018 (Ubuntu Issues Fix) Libgcrypt ECDSA Signature Calculation Timing Flaw Lets Local Users Obtain Private DSA Keys on the Target System
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, 17.10, and 18.04 LTS.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC