製品・ソフトウェアに関する情報

JVN脆弱性詳細

GnuPG における RSA 鍵を抽出される脆弱性

Title	GnuPG における RSA 鍵を抽出される脆弱性
Summary	GnuPG は、サイドチャネルを引き起こす特定のパターンを含むシーケンスを使用する RSA 鍵を生成するため、RSA 鍵を抽出される脆弱性が存在します。
Possible impacts	物理的に端末の操作が可能な攻撃者により、復号中の選択暗号文攻撃および音響解析 (acoustic cryptanalysis) を介して、RSA 鍵を抽出される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 18, 2013, midnight
Registration Date	Dec. 24, 2013, 7:04 p.m.
Last Update	March 10, 2014, 4:44 p.m.

CVSS2.0 : 注意
Score	2.1
Vector	AV:L/AC:L/Au:N/C:P/I:N/A:N

Affected System

GNU Project

GnuPG 1.4.16 未満の 1.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-4576	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4576
National Vulnerability Database (NVD)
2	CVE-2013-4576	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4576

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-255	https://jvndb.jvn.jp/ja/cwe/CWE-255.html

ベンダー情報

No	Name	URL
Debian Security Advisory
1	DSA-2821	http://www.debian.org/security/2013/dsa-2821
GnuPG Project
2	[Announce] [security fix] GnuPG 1.4.16 released	http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html
Red Hat Bugzilla
3	Bug 1043327	https://bugzilla.redhat.com/show_bug.cgi?id=1043327
Red Hat Security Advisory
4	RHSA-2014:0016	http://rhn.redhat.com/errata/RHSA-2014-0016.html

その他

No	Name	URL
関連文書
1	RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis	http://www.cs.tau.ac.il/~tromer/acoustic/

Change Log

No	Changed Details	Date of change
0	[2013年12月24日] 掲載 [2014年03月10日] ベンダ情報：レッドハット (RHSA-2014:0016) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-4576

Summary	GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.
Publication Date	Dec. 21, 2013, 6:55 a.m.
Registration Date	Jan. 26, 2021, 3:43 p.m.
Last Update	Nov. 21, 2024, 10:55 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:gnupg:gnupg:1.4.8:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.3:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.3:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.1:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.1:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.6:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.14:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.93:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.2:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.10:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.4:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.0:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.6:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.2:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.4:::::::*
cpe:2.3:a:gnupg:gnupg::::::::		1.4.15
cpe:2.3:a:gnupg:gnupg:1.4.13:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.0:::::::*
cpe:2.3:a:gnupg:gnupg:1.4:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.12:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.92:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.7:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.5:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.2:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.4:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.91:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.1:windows::::::
cpe:2.3:a:gnupg:gnupg:1.0.5:-:win32:::::*
cpe:2.3:a:gnupg:gnupg:1.0.4:-:win32:::::*
cpe:2.3:a:gnupg:gnupg:1.2.0:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.6:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.3:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.7:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.2:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.11:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.3:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.5:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.1:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.4:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.5:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.90:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.0:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.6:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html	Patch Vendor Advisory
2	http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html	Patch Vendor Advisory
3	http://osvdb.org/101170
4	http://osvdb.org/101170
5	http://rhn.redhat.com/errata/RHSA-2014-0016.html
6	http://rhn.redhat.com/errata/RHSA-2014-0016.html
7	http://seclists.org/oss-sec/2013/q4/520
8	http://seclists.org/oss-sec/2013/q4/520
9	http://seclists.org/oss-sec/2013/q4/523
10	http://seclists.org/oss-sec/2013/q4/523
11	http://www.cs.tau.ac.il/~tromer/acoustic/
12	http://www.cs.tau.ac.il/~tromer/acoustic/
13	http://www.debian.org/security/2013/dsa-2821
14	http://www.debian.org/security/2013/dsa-2821
15	http://www.securityfocus.com/bid/64424
16	http://www.securityfocus.com/bid/64424
17	http://www.securitytracker.com/id/1029513
18	http://www.securitytracker.com/id/1029513
19	http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf
20	http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf
21	http://www.ubuntu.com/usn/USN-2059-1
22	http://www.ubuntu.com/usn/USN-2059-1
23	https://exchange.xforce.ibmcloud.com/vulnerabilities/89846
24	https://exchange.xforce.ibmcloud.com/vulnerabilities/89846

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-255	証明書・パスワード管理	https://cwe.mitre.org/data/definitions/255.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:gnupg:gnupg:1.4.8:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.3:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.3:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.1:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.1:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.6:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.14:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.93:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.2:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.10:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.4:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.0:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.6:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.2:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.4:::::::*
cpe:2.3:a:gnupg:gnupg::::::::		1.4.15
cpe:2.3:a:gnupg:gnupg:1.4.13:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.0:::::::*
cpe:2.3:a:gnupg:gnupg:1.4:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.12:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.92:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.7:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.5:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.2:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.4:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.91:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.1:windows::::::
cpe:2.3:a:gnupg:gnupg:1.0.5:-:win32:::::*
cpe:2.3:a:gnupg:gnupg:1.0.4:-:win32:::::*
cpe:2.3:a:gnupg:gnupg:1.2.0:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.6:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.3:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.7:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.2:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.11:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.3:::::::*
cpe:2.3:a:gnupg:gnupg:1.4.5:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.1:::::::*
cpe:2.3:a:gnupg:gnupg:1.2.4:::::::*
cpe:2.3:a:gnupg:gnupg:1.0.5:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.90:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.0:::::::*
cpe:2.3:a:gnupg:gnupg:1.3.6:::::::*