Elgamal Decryption Flaw in Libgcrypt and GnuPG Products
CVE-2014-3591

4.2MEDIUM

Key Information:

Vendor
Gnu
Status
Libgcrypt
Gnupg
Vendor
CVE Published:
29 November 2019

Summary

Libgcrypt versions prior to 1.6.3 and GnuPG versions below 1.4.19 are susceptible to a vulnerability that lacks ciphertext blinding for Elgamal decryption. This flaw enables an attacker in close physical proximity to potentially extract the server's private key by analyzing crafted ciphertext in conjunction with fluctuations in electromagnetic radiation during the decryption process. This poses a critical risk to the confidentiality of encrypted data, making it essential for users of these libraries to update to secure versions.

Affected Version(s)

GnuPG before 1.4.19

Libgcrypt before 1.6.3

References

http://www.cs.tau.ac.il/~tromer/radioexp/
x_refsource_MISC
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/0...
x_refsource_MISC
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/0...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.