CLD-434 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2018-0495 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) libgcrypt
Deficiency Type SECURITY
Date Created 2018-06-18 13:26:22
Date Last Modified 2018-06-18 13:37:35

Version Specific Information:

Cucumber 1.0 i686fixed in libgcrypt-1.7.10-i686-1
Cucumber 1.0 x86_64fixed in libgcrypt-1.7.10-x86_64-1 and libgcrypt-lib_i686-1.7.10-lib_i686-1

Cucumber 1.1 i686 fixed in libgcrypt-1.7.10-i686-1
Cucumber 1.1 x86_64 fixed in libgcrypt-1.7.10-x86_64-1 and libgcrypt-lib_i686-1.7.10-lib_i686-1


=================================== Overview ===================================

Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache
side-channel attack on ECDSA signatures that can be mitigated through the use
of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in
cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To
discover an ECDSA key, the attacker needs access to either the local machine or
a different virtual machine on the same physical host. 

================================ Initial Report ================================


Comments on the attack

Details on CVE-2018-0495 can be found in the paper "Return of the Hidden
Number Problem" which can be downloaded from the advisory page
See  for a timeline.

One user of Libgcrypt is GnuPG, thus a quick comment: GnuPG does not use
the vulenrable ECDSA signatures by default.  Further, it is much harder
to mount such an attack against an offline protocol like OpenPGP than
against online protocols like TLS.  Anyway, we also released a new
Windows installer for GnuPG 2.2.8 featuring the fixed Libgcrypt version.
That installer is linked from the usual download page and a new Gpg4win
version will be released soon.

============================ Additional Information ============================


================================= Our Analysis =================================

----- Affected Products -----
Libgcrypt prior to 1.7.10 or 1.8.3 that has not had the patch from;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965
applied is vulnerable. This includes libgcrypt as originally packaged in
Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for a local attacker to discover a ECDSA key via a sidechannel attack.

----- Fix for this Vulnerability -----
Can be fixed by upgrading to libgcrypt 1.7.x version 1.7.10 or newer, 1.8.x
version 1.8.3 or newer or by applying the patch from;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965.

================================= Our Solution =================================

We have upgraded to libgcrypt 1.7.10.