Strix
26.1K

CVE-2013-4576

UnknownEPSS 0.45%

Last modified

CVE-2013-4576 is a vulnerability of currently unknown severity. GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. EPSS estimates a 0.45% chance of exploitation in the next 30 days.

Description

GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.

Metrics

EPSS Probability
0.45%

35.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
GnupgGnupg<= 1.4.15
GnupgGnupg1.0.0
GnupgGnupg1.0.1
GnupgGnupg1.0.2
GnupgGnupg1.0.3
GnupgGnupg1.0.4
GnupgGnupg1.0.5
GnupgGnupg1.0.6
GnupgGnupg1.0.7
GnupgGnupg1.2.0
GnupgGnupg1.2.1
GnupgGnupg1.2.2
GnupgGnupg1.2.3
GnupgGnupg1.2.4
GnupgGnupg1.2.5
GnupgGnupg1.2.6
GnupgGnupg1.2.7
GnupgGnupg1.3.0
GnupgGnupg1.3.1
GnupgGnupg1.3.2
GnupgGnupg1.3.3
GnupgGnupg1.3.4
GnupgGnupg1.3.6
GnupgGnupg1.3.90
GnupgGnupg1.3.91
GnupgGnupg1.3.92
GnupgGnupg1.3.93
GnupgGnupg1.4
GnupgGnupg1.4.0
GnupgGnupg1.4.2
GnupgGnupg1.4.3
GnupgGnupg1.4.4
GnupgGnupg1.4.5
GnupgGnupg1.4.6
GnupgGnupg1.4.8
GnupgGnupg1.4.10
GnupgGnupg1.4.11
GnupgGnupg1.4.12
GnupgGnupg1.4.13
GnupgGnupg1.4.14

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2013-4576?
GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.
How severe is CVE-2013-4576?
Severity scoring for CVE-2013-4576 is pending analysis. The EPSS model estimates a 0.45% probability of exploitation in the next 30 days.
How do I fix CVE-2013-4576?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2013-4576?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST