Side-Channel Attack Vulnerability in Libgcrypt Affecting OpenPGP
CVE-2021-33560

7.5HIGH

Key Information:

Vendor: Gnupg
Status: Libgcrypt
Vendor: CVE Published:; 8 June 2021

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2021-33560?

A flaw in Libgcrypt versions prior to 1.8.8 and 1.9.x before 1.9.3 compromises ElGamal encryption due to a lack of exponent blinding. This oversight allows for potential side-channel attacks through mpi_powm, making systems utilizing ElGamal in OpenPGP susceptible. The vulnerability highlights the importance of proper design in cryptographic implementations to mitigate risks associated with side-channel attacks.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

PGP-client-checker-CVE-2021-33560
Created by IBM

References

https://dev.gnupg.org/T5328

https://lists.debian.org/debian-lts-announce/2021/06/msg0...

mailing-list

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jul 16, 2021
👾
Exploit known to exist
Jul 16, 2021
Vulnerability published
Jun 8, 2021
Vulnerability Reserved
May 24, 2021

CVE-2021-33560 Data

JSON

Gnupg

Badges

What is CVE-2021-33560?

Exploit Proof of Concept (PoC)

References

CVSS V3.1

Timeline