CLD-434 Details

Other IDs this deficiency may be known by:

CVE ID	CVE-2018-0495 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s)	libgcrypt
Deficiency Type	SECURITY
Date Created	2018-06-18 13:26:22
Date Last Modified	2018-06-18 13:37:35

Version Specific Information:

Cucumber 1.0 i686	fixed in libgcrypt-1.7.10-i686-1
Cucumber 1.0 x86_64	fixed in libgcrypt-1.7.10-x86_64-1 and libgcrypt-lib_i686-1.7.10-lib_i686-1

Cucumber 1.1 i686	fixed in libgcrypt-1.7.10-i686-1
Cucumber 1.1 x86_64	fixed in libgcrypt-1.7.10-x86_64-1 and libgcrypt-lib_i686-1.7.10-lib_i686-1

Details:

=================================== Overview ===================================

Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache
side-channel attack on ECDSA signatures that can be mitigated through the use
of blinding during the signing process in the _gcry_ecc_ecdsa_sign function in
cipher/ecc-ecdsa.c, aka the Return Of the Hidden Number Problem or ROHNP. To
discover an ECDSA key, the attacker needs access to either the local machine or
a different virtual machine on the same physical host. 

================================ Initial Report ================================

From https://lists.gnupg.org/pipermail/gnupg-announce/2018q2/000426.html:

Comments on the attack
======================

Details on CVE-2018-0495 can be found in the paper "Return of the Hidden
Number Problem" which can be downloaded from the advisory page
.
See  for a timeline.

One user of Libgcrypt is GnuPG, thus a quick comment: GnuPG does not use
the vulenrable ECDSA signatures by default.  Further, it is much harder
to mount such an attack against an offline protocol like OpenPGP than
against online protocols like TLS.  Anyway, we also released a new
Windows installer for GnuPG 2.2.8 featuring the fixed Libgcrypt version.
That installer is linked from the usual download page and a new Gpg4win
version will be released soon.

============================ Additional Information ============================

See
https://www.nccgroup.trust/us/our-research/technical-advisory-return-of-the-hidden-number-problem/

================================= Our Analysis =================================

----- Affected Products -----
Libgcrypt prior to 1.7.10 or 1.8.3 that has not had the patch from
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965
applied is vulnerable. This includes libgcrypt as originally packaged in
Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
Allows for a local attacker to discover a ECDSA key via a sidechannel attack.

----- Fix for this Vulnerability -----
Can be fixed by upgrading to libgcrypt 1.7.x version 1.7.10 or newer, 1.8.x
version 1.8.3 or newer or by applying the patch from
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=9010d1576e278a4274ad3f4aa15776c28f6ba965.

================================= Our Solution =================================

We have upgraded to libgcrypt 1.7.10.