Vulnerabilities > CVE-2005-0366 - Inadequate Encryption Strength vulnerability in Gnupg
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Brute Force In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset. Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. While the defender cannot control the resources available to an attacker, they can control the size of the secret space. Creating a large secret space involves selecting one's secret from as large a field of equally likely alternative secrets as possible and ensuring that an attacker is unable to reduce the size of this field using available clues or cryptanalysis. Doing this is more difficult than it sounds since elimination of patterns (which, in turn, would provide an attacker clues that would help them reduce the space of potential secrets) is difficult to do using deterministic machines, such as computers. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information. For example, a secret space that will likely take hundreds of years to explore is likely safe from raw-brute force attacks.
- Encryption Brute Forcing An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_8375A73F01BF11DABC080001020EED82.NASL description Serge Mister and Robert Zuccherato reports that the OpenPGP protocol is vulnerable to a cryptographic attack when using symmetric encryption in an automated way. David Shaw reports about the impact : This attack, while very significant from a cryptographic point of view, is not generally effective in the real world. To be specific, unless you have your OpenPGP program set up as part of an automated system to accept encrypted messages, decrypt them, and then provide a response to the submitter, then this does not affect you at all. Note that the fix in GnuPG does note completely eliminate the potential problem : These patches disable a portion of the OpenPGP protocol that the attack is exploiting. This change should not be user visible. With the patch in place, this attack will not work using a public-key encrypted message. It will still work using a passphrase-encrypted message. last seen 2020-06-01 modified 2020-06-02 plugin id 19349 published 2005-08-01 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19349 title FreeBSD : gnupg -- OpenPGP symmetric encryption vulnerability (8375a73f-01bf-11da-bc08-0001020eed82) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(19349); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:37"); script_cve_id("CVE-2005-0366"); script_xref(name:"CERT", value:"303094"); script_name(english:"FreeBSD : gnupg -- OpenPGP symmetric encryption vulnerability (8375a73f-01bf-11da-bc08-0001020eed82)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "Serge Mister and Robert Zuccherato reports that the OpenPGP protocol is vulnerable to a cryptographic attack when using symmetric encryption in an automated way. David Shaw reports about the impact : This attack, while very significant from a cryptographic point of view, is not generally effective in the real world. To be specific, unless you have your OpenPGP program set up as part of an automated system to accept encrypted messages, decrypt them, and then provide a response to the submitter, then this does not affect you at all. Note that the fix in GnuPG does note completely eliminate the potential problem : These patches disable a portion of the OpenPGP protocol that the attack is exploiting. This change should not be user visible. With the patch in place, this attack will not work using a public-key encrypted message. It will still work using a passphrase-encrypted message." ); # http://eprint.iacr.org/2005/033 script_set_attribute( attribute:"see_also", value:"https://eprint.iacr.org/2005/033" ); # http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html script_set_attribute( attribute:"see_also", value:"https://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000191.html" ); # http://www.pgp.com/newsroom/ctocorner/openpgp.html script_set_attribute( attribute:"see_also", value:"https://www.symantec.com/business/theme.jsp?themeid=pgp" ); # https://vuxml.freebsd.org/freebsd/8375a73f-01bf-11da-bc08-0001020eed82.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f330b2a6" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:gnupg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:p5-Crypt-OpenPGP"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:pgp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/02/08"); script_set_attribute(attribute:"patch_publication_date", value:"2005/07/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/08/01"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"gnupg<1.4.1")) flag++; if (pkg_test(save_report:TRUE, pkg:"p5-Crypt-OpenPGP<=1.03")) flag++; if (pkg_test(save_report:TRUE, pkg:"pgp>=3.0")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200503-29.NASL description The remote host is affected by the vulnerability described in GLSA-200503-29 (GnuPG: OpenPGP protocol attack) A flaw has been identified in an integrity checking mechanism of the OpenPGP protocol. Impact : An automated system using GnuPG that allows an attacker to repeatedly discover the outcome of an integrity check (perhaps by observing the time required to return a response, or via overly verbose error messages) could theoretically reveal a small portion of plaintext. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 17616 published 2005-03-25 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17616 title GLSA-200503-29 : GnuPG: OpenPGP protocol attack code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200503-29. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(17616); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-0366"); script_xref(name:"CERT", value:"303094"); script_xref(name:"GLSA", value:"200503-29"); script_name(english:"GLSA-200503-29 : GnuPG: OpenPGP protocol attack"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200503-29 (GnuPG: OpenPGP protocol attack) A flaw has been identified in an integrity checking mechanism of the OpenPGP protocol. Impact : An automated system using GnuPG that allows an attacker to repeatedly discover the outcome of an integrity check (perhaps by observing the time required to return a response, or via overly verbose error messages) could theoretically reveal a small portion of plaintext. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200503-29" ); script_set_attribute( attribute:"solution", value: "All GnuPG users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-crypt/gnupg-1.4.1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:gnupg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-crypt/gnupg", unaffected:make_list("ge 1.4.1"), vulnerable:make_list("lt 1.4.1"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "GnuPG"); }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-057.NASL description The OpenPGP protocol is vulnerable to a timing-attack in order to gain plain text from cipher text. The timing difference appears as a side effect of the so-called last seen 2020-06-01 modified 2020-06-02 plugin id 17334 published 2005-03-16 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17334 title Mandrake Linux Security Advisory : gnupg (MDKSA-2005:057) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:057. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(17334); script_version ("1.16"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2005-0366"); script_xref(name:"CERT", value:"303094"); script_xref(name:"MDKSA", value:"2005:057"); script_name(english:"Mandrake Linux Security Advisory : gnupg (MDKSA-2005:057)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Mandrake Linux host is missing a security update." ); script_set_attribute( attribute:"description", value: "The OpenPGP protocol is vulnerable to a timing-attack in order to gain plain text from cipher text. The timing difference appears as a side effect of the so-called 'quick scan' and is only exploitable on systems that accept an arbitrary amount of cipher text for automatic decryption. The updated packages have been patched to disable the quick check for all public key-encrypted messages and files." ); script_set_attribute( attribute:"see_also", value:"http://www.pgp.com/library/ctocorner/openpgp.html" ); script_set_attribute(attribute:"solution", value:"Update the affected gnupg package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:gnupg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"gnupg-1.2.4-1.1.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.1", reference:"gnupg-1.2.4-1.1.101mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"gnupg-1.2.3-3.2.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-170-1.NASL description Serge Mister and Robert Zuccherato discovered a weakness of the symmetrical encryption algorithm of gnupg. When decrypting a message, gnupg uses a feature called last seen 2020-06-01 modified 2020-06-02 plugin id 20577 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20577 title Ubuntu 4.10 / 5.04 : gnupg vulnerability (USN-170-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-170-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20577); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2005-0366"); script_xref(name:"USN", value:"170-1"); script_name(english:"Ubuntu 4.10 / 5.04 : gnupg vulnerability (USN-170-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Serge Mister and Robert Zuccherato discovered a weakness of the symmetrical encryption algorithm of gnupg. When decrypting a message, gnupg uses a feature called 'quick scan'; this can quickly check whether the key that is used for decryption is (probably) the right one, so that wrong keys can be determined quickly without decrypting the whole message. A failure of the quick scan will be determined much faster than a successful one. Mister/Zuccherato demonstrated that this timing difference can be exploited to an attack which allows an attacker to decrypt parts of an encrypted message if an 'oracle' is available, i. e. an automatic system that receives random encrypted messages from the attacker and answers whether it passes the quick scan check. However, since the attack requires a huge amount of oracle answers (about 32.000 for every 16 bytes of ciphertext), this attack is mostly theoretical. It does not have any impact on human operation of gnupg and is not believed to be exploitable in practice. The updated packages disable the quick check, which renders this timing attack impossible. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected gnupg package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:gnupg"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04"); script_set_attribute(attribute:"patch_publication_date", value:"2005/08/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10|5\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10 / 5.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"gnupg", pkgver:"1.2.4-4ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"gnupg", pkgver:"1.2.5-3ubuntu5.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "gnupg"); }
References
- http://eprint.iacr.org/2005/033
- http://eprint.iacr.org/2005/033.pdf
- http://securitytracker.com/id?1013166
- http://www.gentoo.org/security/en/glsa/glsa-200503-29.xml
- http://www.kb.cert.org/vuls/id/303094
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:057
- http://www.novell.com/linux/security/advisories/2005_07_sr.html
- http://www.osvdb.org/13775
- http://www.pgp.com/library/ctocorner/openpgp.html
- http://www.securityfocus.com/bid/12529