FKIE_CVE-2013-4576
Vulnerability from fkie_nvd - Published: 2013-12-20 21:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gnupg | gnupg | * | |
| gnupg | gnupg | 1.0.0 | |
| gnupg | gnupg | 1.0.1 | |
| gnupg | gnupg | 1.0.2 | |
| gnupg | gnupg | 1.0.3 | |
| gnupg | gnupg | 1.0.4 | |
| gnupg | gnupg | 1.0.4 | |
| gnupg | gnupg | 1.0.5 | |
| gnupg | gnupg | 1.0.5 | |
| gnupg | gnupg | 1.0.6 | |
| gnupg | gnupg | 1.0.7 | |
| gnupg | gnupg | 1.2.0 | |
| gnupg | gnupg | 1.2.1 | |
| gnupg | gnupg | 1.2.1 | |
| gnupg | gnupg | 1.2.2 | |
| gnupg | gnupg | 1.2.3 | |
| gnupg | gnupg | 1.2.4 | |
| gnupg | gnupg | 1.2.5 | |
| gnupg | gnupg | 1.2.6 | |
| gnupg | gnupg | 1.2.7 | |
| gnupg | gnupg | 1.3.0 | |
| gnupg | gnupg | 1.3.1 | |
| gnupg | gnupg | 1.3.2 | |
| gnupg | gnupg | 1.3.3 | |
| gnupg | gnupg | 1.3.4 | |
| gnupg | gnupg | 1.3.6 | |
| gnupg | gnupg | 1.3.90 | |
| gnupg | gnupg | 1.3.91 | |
| gnupg | gnupg | 1.3.92 | |
| gnupg | gnupg | 1.3.93 | |
| gnupg | gnupg | 1.4 | |
| gnupg | gnupg | 1.4.0 | |
| gnupg | gnupg | 1.4.2 | |
| gnupg | gnupg | 1.4.3 | |
| gnupg | gnupg | 1.4.4 | |
| gnupg | gnupg | 1.4.5 | |
| gnupg | gnupg | 1.4.6 | |
| gnupg | gnupg | 1.4.8 | |
| gnupg | gnupg | 1.4.10 | |
| gnupg | gnupg | 1.4.11 | |
| gnupg | gnupg | 1.4.12 | |
| gnupg | gnupg | 1.4.13 | |
| gnupg | gnupg | 1.4.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A287B57-D002-4A42-96F1-E1F701F9762C",
"versionEndIncluding": "1.4.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B6863306-F7B8-47D9-8FF9-4340FC6D718F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BA95D254-1D85-4523-9DF2-8A07BF05573E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E24FB9C-1CA9-4A1B-8AF6-06B3C1865EF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D07D0653-4538-47D8-AB8F-0A23D65F0AE0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "95E18355-65AF-4DB4-B6B2-431D7788FF23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.4:-:win32:*:*:*:*:*",
"matchCriteriaId": "0E61804F-21BA-4850-B859-D69C80F37FFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "88C40692-FE9F-48D6-9AEB-5F35FA369980",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.5:-:win32:*:*:*:*:*",
"matchCriteriaId": "585F51C8-2FDC-46CE-9F71-ED9EE2ADA472",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "18395DAB-24DA-4ABD-ABD8-38A49417B052",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "6228E3FF-5EB4-4F46-9EA8-1B114947994D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "96DEF388-2B09-4212-8AF5-9FE54CCAFEC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "1A798490-741B-4EB4-B1D9-353A181A7AA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.1:windows:*:*:*:*:*:*",
"matchCriteriaId": "F781A379-57DF-4D1E-8B85-4FD637E4B967",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8466E9BD-5623-40EE-A604-0F29C3520B63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4E98B61C-7093-4251-B1D8-59B647C2DF6B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6F9FCAC0-08D1-4044-A506-4AC14BF381CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "545E4C50-229D-4B27-9DB2-9D1204451A9E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D50A16A8-9C96-47CB-B18B-AE79C754ABBC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "08877372-B7DD-4543-84A8-C40D2BA100F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "7135BE6C-E797-4C41-BCD5-161DC7561433",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E909F1D4-AFB1-43F3-9635-E318D64099B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DB4AAE4C-3F59-46D3-A38E-CC5DFCBEC3DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "688CDCA9-2809-4C0E-9DBC-133F48D56BEA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "564B521B-3C7C-46CF-94E8-A368AF81DA54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FC04BFA0-C7B0-4F70-9676-8156C9CE18AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.90:*:*:*:*:*:*:*",
"matchCriteriaId": "9F43CE80-06BC-4448-9033-F2F88663C527",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.91:*:*:*:*:*:*:*",
"matchCriteriaId": "A7181202-BC32-4F1E-9EF8-F544CCDA1671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.92:*:*:*:*:*:*:*",
"matchCriteriaId": "F55827F8-CC36-45DA-8F9E-1F520911EB12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.93:*:*:*:*:*:*:*",
"matchCriteriaId": "CCEAA5DF-33D1-4D4A-BA01-4BC863DBC272",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "365FF476-1FFD-4E09-900C-50E0660766AB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "28374619-966D-4F38-B83E-A6296F27CC05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "22A28CDF-F2AF-4D49-9FB1-AED34A758289",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "6399A22D-90DF-4CB5-9367-0C5242BD1A2B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D63B0B4A-3998-4A4F-AD7A-BB8CEBE897B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "FDA6934A-3D02-4749-A147-BE538C0AF27F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8B238CA5-3B4D-4D6A-92CA-39A7CD57AF40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "DC6150E3-1D7C-44DA-BA57-35AB26F881B1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "3EB20A34-5E11-4D70-B3DE-66DD9863AE0D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.11:*:*:*:*:*:*:*",
"matchCriteriaId": "CA47467D-3D96-46DB-B0AC-D28586829710",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.12:*:*:*:*:*:*:*",
"matchCriteriaId": "68B68F2F-0718-4C87-9629-4657DC49EECC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.13:*:*:*:*:*:*:*",
"matchCriteriaId": "69D492F9-2064-488A-BD16-99DD865D2BF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.14:*:*:*:*:*:*:*",
"matchCriteriaId": "B4929286-63C2-45D0-B0C7-E14438D82883",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE."
},
{
"lang": "es",
"value": "GnuPG 1.x anteriores a 1.4.16 genera claves RSA utilizando secuencias de introducciones con ciertos patrones que introducen un ataque de canal lateral, lo cual permite a atacantes f\u00edsicamente pr\u00f3ximos extraer claves RSA a trav\u00e9s de un ataque de texto cifrado elegido y criptoan\u00e1lisis ac\u00fastico durante el descifrado. NOTA: normalmente no se espera de las aplicaciones que se protejan ante ataques laterales ac\u00fasticos, dado que esto es responsabilidad del dispositivo f\u00edsico. De esta manera, problemas de este tipo no recibir\u00e1n normalmente un identificador CVE. En cualquier caso, para este problema, el desarrollador a especificado una pol\u00edtica de seguridad en la cual GnuPG deber\u00eda ofrecer resistencia ante cnales laterales, y violaciones de pol\u00edticas de seguridad espec\u00edficas para los desarrolladores est\u00e1n dentro del \u00e1mbito de CVE."
}
],
"id": "CVE-2013-4576",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-12-20T21:55:06.930",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html"
},
{
"source": "secalert@redhat.com",
"url": "http://osvdb.org/101170"
},
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0016.html"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/oss-sec/2013/q4/520"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/oss-sec/2013/q4/523"
},
{
"source": "secalert@redhat.com",
"url": "http://www.cs.tau.ac.il/~tromer/acoustic/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.debian.org/security/2013/dsa-2821"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/64424"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1029513"
},
{
"source": "secalert@redhat.com",
"url": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf"
},
{
"source": "secalert@redhat.com",
"url": "http://www.ubuntu.com/usn/USN-2059-1"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89846"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/101170"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0016.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2013/q4/520"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/oss-sec/2013/q4/523"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.cs.tau.ac.il/~tromer/acoustic/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2013/dsa-2821"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/64424"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1029513"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ubuntu.com/usn/USN-2059-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89846"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…