{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-12-18T00:00:00", "descriptions": [{"lang": "en", "value": "GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-08-28T12:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "64424", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/64424"}, {"name": "USN-2059-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2059-1"}, {"name": "101170", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/101170"}, {"name": "[gnupg-devel] 20131218 [Announce] [security fix] GnuPG 1.4.16 released", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html"}, {"name": "RHSA-2014:0016", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0016.html"}, {"name": "1029513", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1029513"}, {"name": "gunpg-cve20134576-info-disclosure(89846)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89846"}, {"name": "DSA-2821", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2013/dsa-2821"}, {"tags": ["x_refsource_MISC"], "url": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf"}, {"name": "[oss-security] 20131218 Re: GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2013/q4/523"}, {"tags": ["x_refsource_MISC"], "url": "http://www.cs.tau.ac.il/~tromer/acoustic/"}, {"name": "[oss-security] 20131218 GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://seclists.org/oss-sec/2013/q4/520"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4576", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "64424", "refsource": "BID", "url": "http://www.securityfocus.com/bid/64424"}, {"name": "USN-2059-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2059-1"}, {"name": "101170", "refsource": "OSVDB", "url": "http://osvdb.org/101170"}, {"name": "[gnupg-devel] 20131218 [Announce] [security fix] GnuPG 1.4.16 released", "refsource": "MLIST", "url": "http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html"}, {"name": "RHSA-2014:0016", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-0016.html"}, {"name": "1029513", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1029513"}, {"name": "gunpg-cve20134576-info-disclosure(89846)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89846"}, {"name": "DSA-2821", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2013/dsa-2821"}, {"name": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf", "refsource": "MISC", "url": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf"}, {"name": "[oss-security] 20131218 Re: GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576)", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2013/q4/523"}, {"name": "http://www.cs.tau.ac.il/~tromer/acoustic/", "refsource": "MISC", "url": "http://www.cs.tau.ac.il/~tromer/acoustic/"}, {"name": "[oss-security] 20131218 GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576)", "refsource": "MLIST", "url": "http://seclists.org/oss-sec/2013/q4/520"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:45:14.839Z"}, "title": "CVE Program Container", "references": [{"name": "64424", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/64424"}, {"name": "USN-2059-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2059-1"}, {"name": "101170", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/101170"}, {"name": "[gnupg-devel] 20131218 [Announce] [security fix] GnuPG 1.4.16 released", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html"}, {"name": "RHSA-2014:0016", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-0016.html"}, {"name": "1029513", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1029513"}, {"name": "gunpg-cve20134576-info-disclosure(89846)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89846"}, {"name": "DSA-2821", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2013/dsa-2821"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf"}, {"name": "[oss-security] 20131218 Re: GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2013/q4/523"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.cs.tau.ac.il/~tromer/acoustic/"}, {"name": "[oss-security] 20131218 GnuPG 1.4.16 fixes RSA key extraction via acoustic side channel (CVE-2013-4576)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://seclists.org/oss-sec/2013/q4/520"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4576", "datePublished": "2013-12-20T21:00:00", "dateReserved": "2013-06-12T00:00:00", "dateUpdated": "2024-08-06T16:45:14.839Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A287B57-D002-4A42-96F1-E1F701F9762C", "versionEndIncluding": "1.4.15", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B6863306-F7B8-47D9-8FF9-4340FC6D718F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "BA95D254-1D85-4523-9DF2-8A07BF05573E", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "9E24FB9C-1CA9-4A1B-8AF6-06B3C1865EF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "D07D0653-4538-47D8-AB8F-0A23D65F0AE0", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "95E18355-65AF-4DB4-B6B2-431D7788FF23", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.4:-:win32:*:*:*:*:*", "matchCriteriaId": "0E61804F-21BA-4850-B859-D69C80F37FFC", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "88C40692-FE9F-48D6-9AEB-5F35FA369980", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.5:-:win32:*:*:*:*:*", "matchCriteriaId": "585F51C8-2FDC-46CE-9F71-ED9EE2ADA472", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "18395DAB-24DA-4ABD-ABD8-38A49417B052", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "6228E3FF-5EB4-4F46-9EA8-1B114947994D", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "96DEF388-2B09-4212-8AF5-9FE54CCAFEC8", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "1A798490-741B-4EB4-B1D9-353A181A7AA2", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.1:windows:*:*:*:*:*:*", "matchCriteriaId": "F781A379-57DF-4D1E-8B85-4FD637E4B967", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "8466E9BD-5623-40EE-A604-0F29C3520B63", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "4E98B61C-7093-4251-B1D8-59B647C2DF6B", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "6F9FCAC0-08D1-4044-A506-4AC14BF381CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "545E4C50-229D-4B27-9DB2-9D1204451A9E", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.6:*:*:*:*:*:*:*", "matchCriteriaId": "D50A16A8-9C96-47CB-B18B-AE79C754ABBC", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "08877372-B7DD-4543-84A8-C40D2BA100F1", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "7135BE6C-E797-4C41-BCD5-161DC7561433", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "E909F1D4-AFB1-43F3-9635-E318D64099B4", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "DB4AAE4C-3F59-46D3-A38E-CC5DFCBEC3DF", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "688CDCA9-2809-4C0E-9DBC-133F48D56BEA", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "564B521B-3C7C-46CF-94E8-A368AF81DA54", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "FC04BFA0-C7B0-4F70-9676-8156C9CE18AE", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.90:*:*:*:*:*:*:*", "matchCriteriaId": "9F43CE80-06BC-4448-9033-F2F88663C527", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.91:*:*:*:*:*:*:*", "matchCriteriaId": "A7181202-BC32-4F1E-9EF8-F544CCDA1671", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.92:*:*:*:*:*:*:*", "matchCriteriaId": "F55827F8-CC36-45DA-8F9E-1F520911EB12", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.3.93:*:*:*:*:*:*:*", "matchCriteriaId": "CCEAA5DF-33D1-4D4A-BA01-4BC863DBC272", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4:*:*:*:*:*:*:*", "matchCriteriaId": "365FF476-1FFD-4E09-900C-50E0660766AB", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "28374619-966D-4F38-B83E-A6296F27CC05", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.2:*:*:*:*:*:*:*", "matchCriteriaId": "22A28CDF-F2AF-4D49-9FB1-AED34A758289", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.3:*:*:*:*:*:*:*", "matchCriteriaId": "6399A22D-90DF-4CB5-9367-0C5242BD1A2B", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.4:*:*:*:*:*:*:*", "matchCriteriaId": "D63B0B4A-3998-4A4F-AD7A-BB8CEBE897B9", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.5:*:*:*:*:*:*:*", "matchCriteriaId": "FDA6934A-3D02-4749-A147-BE538C0AF27F", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.6:*:*:*:*:*:*:*", "matchCriteriaId": "8B238CA5-3B4D-4D6A-92CA-39A7CD57AF40", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.8:*:*:*:*:*:*:*", "matchCriteriaId": "DC6150E3-1D7C-44DA-BA57-35AB26F881B1", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.10:*:*:*:*:*:*:*", "matchCriteriaId": "3EB20A34-5E11-4D70-B3DE-66DD9863AE0D", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.11:*:*:*:*:*:*:*", "matchCriteriaId": "CA47467D-3D96-46DB-B0AC-D28586829710", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.12:*:*:*:*:*:*:*", "matchCriteriaId": "68B68F2F-0718-4C87-9629-4657DC49EECC", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.13:*:*:*:*:*:*:*", "matchCriteriaId": "69D492F9-2064-488A-BD16-99DD865D2BF6", "vulnerable": true}, {"criteria": "cpe:2.3:a:gnupg:gnupg:1.4.14:*:*:*:*:*:*:*", "matchCriteriaId": "B4929286-63C2-45D0-B0C7-E14438D82883", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE."}, {"lang": "es", "value": "GnuPG 1.x anteriores a 1.4.16 genera claves RSA utilizando secuencias de introducciones con ciertos patrones que introducen un ataque de canal lateral, lo cual permite a atacantes f\u00edsicamente pr\u00f3ximos extraer claves RSA a trav\u00e9s de un ataque de texto cifrado elegido y criptoan\u00e1lisis ac\u00fastico durante el descifrado. NOTA: normalmente no se espera de las aplicaciones que se protejan ante ataques laterales ac\u00fasticos, dado que esto es responsabilidad del dispositivo f\u00edsico. De esta manera, problemas de este tipo no recibir\u00e1n normalmente un identificador CVE. En cualquier caso, para este problema, el desarrollador a especificado una pol\u00edtica de seguridad en la cual GnuPG deber\u00eda ofrecer resistencia ante cnales laterales, y violaciones de pol\u00edticas de seguridad espec\u00edficas para los desarrolladores est\u00e1n dentro del \u00e1mbito de CVE."}], "id": "CVE-2013-4576", "lastModified": "2024-11-21T01:55:51.773", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-12-20T21:55:06.930", "references": [{"source": "secalert@redhat.com", "tags": ["Patch", "Vendor Advisory"], "url": "http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html"}, {"source": "secalert@redhat.com", "url": "http://osvdb.org/101170"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2014-0016.html"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/oss-sec/2013/q4/520"}, {"source": "secalert@redhat.com", "url": "http://seclists.org/oss-sec/2013/q4/523"}, {"source": "secalert@redhat.com", "url": "http://www.cs.tau.ac.il/~tromer/acoustic/"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2013/dsa-2821"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/64424"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1029513"}, {"source": "secalert@redhat.com", "url": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf"}, {"source": "secalert@redhat.com", "url": "http://www.ubuntu.com/usn/USN-2059-1"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89846"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "http://lists.gnupg.org/pipermail/gnupg-devel/2013-December/028102.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://osvdb.org/101170"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2014-0016.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2013/q4/520"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/oss-sec/2013/q4/523"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.cs.tau.ac.il/~tromer/acoustic/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2013/dsa-2821"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/64424"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1029513"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.ubuntu.com/usn/USN-2059-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89846"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-255"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Werner Koch (GnuPG upstream) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2014:0016", "cpe": "cpe:/o:redhat:enterprise_linux:5", "package": "gnupg-0:1.4.5-18.el5_10.1", "product_name": "Red Hat Enterprise Linux 5", "release_date": "2014-01-08T00:00:00Z"}], "bugzilla": {"description": "gnupg: RSA secret key recovery via acoustic cryptanalysis", "id": "1043327", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1043327"}, "csaw": false, "cvss": {"cvss_base_score": "2.9", "cvss_scoring_vector": "AV:A/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "details": ["GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE."], "name": "CVE-2013-4576", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "libgcrypt", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "libgcrypt", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libgcrypt", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2013-12-18T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-4576\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-4576\nhttp://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000337.html\nhttp://www.cs.tau.ac.il/~tromer/acoustic/"], "threat_severity": "Moderate", "upstream_fix": "gnupg 1.4.16"}