CVE-2021-33560
libgcrypt: mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. This, for example, affects use of ElGamal in OpenPGP.
Libgcrypt versiones anteriores a 1.8.8 y versiones 1.9.x anteriores a 1.9.3, maneja inapropiadamente el cifrado de ElGamal porque carece de cegado de exponentes para hacer frente a un ataque de canal lateral contra la función mpi_powm, y el tamaño de la ventana no se elige apropiadamente. Esto, por ejemplo, afecta el uso de ElGamal en OpenPGP.
A side-channel attack flaw was found in the way libgcrypt implemented Elgamal encryption. This flaw allows an attacker to decrypt parts of ciphertext encrypted using Elgamal, for example, when using OpenPGP. The highest threat from this vulnerability is to confidentiality.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-05-24 CVE Reserved
- 2021-06-08 CVE Published
- 2023-07-19 First Exploit
- 2024-05-14 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-203: Observable Discrepancy
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CAPEC
References (15)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2021/06/msg00021.html | Mailing List | |
https://www.oracle.com/security-alerts/cpuoct2021.html | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/IBM/PGP-client-checker-CVE-2021-33560 | 2023-07-19 |
URL | Date | SRC |
---|---|---|
https://dev.gnupg.org/rCe8b7f10be275bcedb5fc05ed4837a89bfd605c61 | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpuapr2022.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
https://www.oracle.com/security-alerts/cpujul2022.html | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | < 1.8.8 Search vendor "Gnupg" for product "Libgcrypt" and version " < 1.8.8" | - |
Affected
| ||||||
Gnupg Search vendor "Gnupg" | Libgcrypt Search vendor "Gnupg" for product "Libgcrypt" | >= 1.9.0 < 1.9.3 Search vendor "Gnupg" for product "Libgcrypt" and version " >= 1.9.0 < 1.9.3" | - |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Binding Support Function Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" | 1.11.0 Search vendor "Oracle" for product "Communications Cloud Native Core Binding Support Function" and version "1.11.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" | 1.9.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.9.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Function Cloud Native Environment Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" | 1.10.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Function Cloud Native Environment" and version "1.10.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" | 1.14.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "1.14.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" | 1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "1.15.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Repository Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" | 1.15.1 Search vendor "Oracle" for product "Communications Cloud Native Core Network Repository Function" and version "1.15.1" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" | 1.8.0 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.8.0" | - |
Affected
| ||||||
Oracle Search vendor "Oracle" | Communications Cloud Native Core Service Communication Proxy Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" | 1.15.0 Search vendor "Oracle" for product "Communications Cloud Native Core Service Communication Proxy" and version "1.15.0" | - |
Affected
|