CVE-2005-0366
CVSS5.0
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-10 15:35:25
NMCOPS    

[原文]The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed.


[CNNVD]OpenPGP漏洞(CNNVD-200505-075)

        OpenPGP的完整性检查功能,在处理使用密码反馈(CFB)模式加密的信息时,允许远程攻击者在已知消息块的前2个字节,且可以使用oracle或其他机制决定完整性检查是否失败的情况下,通过所选的密码攻击方法来恢复纯文本的其他部分。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0366
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0366
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-075
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/303094
(VENDOR_ADVISORY)  CERT-VN  VU#303094
http://www.pgp.com/library/ctocorner/openpgp.html
(VENDOR_ADVISORY)  CONFIRM  http://www.pgp.com/library/ctocorner/openpgp.html
http://www.gentoo.org/security/en/glsa/glsa-200503-29.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200503-29
http://eprint.iacr.org/2005/033.pdf
(UNKNOWN)  MISC  http://eprint.iacr.org/2005/033.pdf
http://www.securityfocus.com/bid/12529
(UNKNOWN)  BID  12529
http://www.osvdb.org/13775
(UNKNOWN)  OSVDB  13775
http://www.novell.com/linux/security/advisories/2005_07_sr.html
(UNKNOWN)  SUSE  SUSE-SR:2005:007
http://www.mandriva.com/security/advisories?name=MDKSA-2005:057
(UNKNOWN)  MANDRAKE  MDKSA-2005:057
http://securitytracker.com/id?1013166
(UNKNOWN)  SECTRACK  1013166
http://eprint.iacr.org/2005/033
(UNKNOWN)  MISC  http://eprint.iacr.org/2005/033

- 漏洞信息

OpenPGP漏洞
中危 设计错误
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        OpenPGP的完整性检查功能,在处理使用密码反馈(CFB)模式加密的信息时,允许远程攻击者在已知消息块的前2个字节,且可以使用oracle或其他机制决定完整性检查是否失败的情况下,通过所选的密码攻击方法来恢复纯文本的其他部分。

- 公告与补丁

        暂无数据

- 漏洞信息 (F39528)

Ubuntu Security Notice 170-1 (PacketStormID:F39528)
2005-08-24 00:00:00
Ubuntu  ubuntu.com
advisory
linux,ubuntu
CVE-2005-0366
[点击下载]

Ubuntu Security Notice USN-170-1 - Serge Mister and Robert Zuccherato discovered a weakness of the symmetrical encryption algorithm of gnupg. When decrypting a message, gnupg uses a feature called 'quick scan'; this can quickly check whether the key that is used for decryption is (probably) the right one, so that wrong keys can be determined quickly without decrypting the whole message.

===========================================================
Ubuntu Security Notice USN-170-1	    August 19, 2005
gnupg vulnerability
CAN-2005-0366
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

gnupg

The problem can be corrected by upgrading the affected package to
version 1.2.4-4ubuntu2.1 (for Ubuntu 4.10), or 1.2.5-3ubuntu5.1 (for
Ubuntu 5.04).  In general, a standard system upgrade is sufficient to
effect the necessary changes.

Details follow:

Serge Mister and Robert Zuccherato discovered a weakness of the
symmetrical encryption algorithm of gnupg. When decrypting a message,
gnupg uses a feature called "quick scan"; this can quickly check
whether the key that is used for decryption is (probably) the right
one, so that wrong keys can be determined quickly without decrypting
the whole message.

A failure of the quick scan will be determined much faster than a
successful one.  Mister/Zuccherato demonstrated that this timing
difference can be exploited to an attack which allows an attacker to
decrypt parts of an encrypted message if an "oracle" is available, i.
e. an automatic system that receives random encrypted messages from
the attacker and answers whether it passes the quick scan check.

However, since the attack requires a huge amount of oracle answers
(about 32.000 for every 16 bytes of ciphertext), this attack is mostly
theoretical. It does not have any impact on human operation of gnupg
and is not believed to be exploitable in practice.

The updated packages disable the quick check, which renders this
timing attack impossible.


Updated packages for Ubuntu 4.10 (Warty Warthog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.1.diff.gz
      Size/MD5:    56779 535ca76d0ef8e62ca39885695a09b55e
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.1.dsc
      Size/MD5:      619 8fb0039e446c6c43670d1d46dbdcec4f
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4.orig.tar.gz
      Size/MD5:  3451202 adfab529010ba55533c8e538c0b042a2

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.1_amd64.deb
      Size/MD5:  1721956 c5ad08ee5c515a4704d90995cce78d24

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.1_i386.deb
      Size/MD5:  1667010 a5bee7d9a0806a8cfc34e9fa630170ee

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.4-4ubuntu2.1_powerpc.deb
      Size/MD5:  1721372 63e8981a1811f86885a94ce852d5d692

Updated packages for Ubuntu 5.04 (Hoary Hedgehog):

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.1.diff.gz
      Size/MD5:    63056 504f55111886a4b9374c194fa03f53c8
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.1.dsc
      Size/MD5:      654 82a302b486f65b7a1c7c4cbf44450729
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5.orig.tar.gz
      Size/MD5:  3645308 9109ff94f7a502acd915a6e61d28d98a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.1_amd64.deb
      Size/MD5:   805058 7df82bdac6114a8901be677df747ba3e
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.1_amd64.udeb
      Size/MD5:   146276 0229d7a37bb97926a600c8adf1d56afe

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.1_i386.deb
      Size/MD5:   750094 e8653aba101299b9964873b097911ed5
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.1_i386.udeb
      Size/MD5:   121180 7576662e8ffd07063b1f349f75cab0d0

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gnupg_1.2.5-3ubuntu5.1_powerpc.deb
      Size/MD5:   805618 3a2da610043d28171e839ed0a1c20148
    http://security.ubuntu.com/ubuntu/pool/main/g/gnupg/gpgv-udeb_1.2.5-3ubuntu5.1_powerpc.udeb
      Size/MD5:   135250 ae393ff66004dccca13f9245d932218e
    

- 漏洞信息 (F36792)

Gentoo Linux Security Advisory 200503-29 (PacketStormID:F36792)
2005-03-25 00:00:00
Gentoo  security.gentoo.org
advisory,protocol
linux,gentoo
CVE-2005-0366
[点击下载]

Gentoo Linux Security Advisory GLSA 200503-29 - A flaw has been identified in an integrity checking mechanism of the OpenPGP protocol. Versions less than 1.4.1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200503-29
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: GnuPG: OpenPGP protocol attack
      Date: March 24, 2005
      Bugs: #85547
        ID: 200503-29

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Automated systems using GnuPG may leak plaintext portions of an
encrypted message.

Background
==========

GnuPG is complete and free replacement for PGP, a tool for secure
communication and data storage.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /  Vulnerable  /                      Unaffected
    -------------------------------------------------------------------
  1  app-crypt/gnupg       < 1.4.1                            >= 1.4.1

Description
===========

A flaw has been identified in an integrity checking mechanism of the
OpenPGP protocol.

Impact
======

An automated system using GnuPG that allows an attacker to repeatedly
discover the outcome of an integrity check (perhaps by observing the
time required to return a response, or via overly verbose error
messages) could theoretically reveal a small portion of plaintext.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GnuPG users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.1"

References
==========

  [ 1 ] CERT VU#303094
        http://www.kb.cert.org/vuls/id/303094
  [ 2 ] CAN-2005-0366
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0366

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200503-29.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

    

- 漏洞信息

13775
OpenPGP CFB Module Quick Check Feature Information Disclosure
Remote / Network Access Cryptographic, Information Disclosure
Loss of Confidentiality
Exploit Unknown Vendor Verified

- 漏洞描述

OpenPGP protocol contains a flaw that may allow a malicious user to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed. The issue is triggered when handling a message that was encrypted using cipher feedback (CFB) mode. It is possible that the flaw may result in a loss of confidentiality.

- 时间线

2005-02-11 Unknow
Unknow Unknow

- 解决方案

Upgrade to GNU Privacy Guard version 1.4.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Other vendors of OpenPGP-based products (PGP Corporation, and Hush Communications) plan to disable the quick check feature for all public key-encrypted messages and files until the vulnerability can be fully addressed by modifying the OpenPGP standard.

- 相关参考

- 漏洞作者

- 漏洞信息

OpenPGP Cipher Feedback Mode Chosen-Ciphertext Partial Plaintext Retrieval Vulnerability
Design Error 12529
Yes No
2005-02-11 12:00:00 2009-07-12 10:06:00
Discovery is credited to Serge Mister and Robert Zuccherato of Entrust.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
OpenPGP OpenPGP
GNU GNU Privacy Guard 1.2.4
+ MandrakeSoft Corporate Server 3.0 x86_64
+ MandrakeSoft Corporate Server 3.0
+ Mandriva Linux Mandrake 10.1 x86_64
+ Mandriva Linux Mandrake 10.1
+ Mandriva Linux Mandrake 10.0 AMD64
+ Mandriva Linux Mandrake 10.0
GNU GNU Privacy Guard 1.2.3
+ Conectiva Linux 9.0
+ Mandriva Linux Mandrake 9.2
+ Turbolinux Turbolinux Desktop 10.0
GNU GNU Privacy Guard 1.2.2 -rc1
+ S.u.S.E. Linux Personal 8.2
GNU GNU Privacy Guard 1.2.2 -r1
+ Gentoo Linux 1.4 _rc3
+ Gentoo Linux 1.4 _rc2
+ Gentoo Linux 1.4 _rc1
GNU GNU Privacy Guard 1.2.2
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Workstation 3.1.1
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
GNU GNU Privacy Guard 1.2.1
+ Conectiva Linux 9.0
+ OpenPKG OpenPKG 1.2
+ RedHat Linux 9.0 i386
+ Terra Soft Solutions Yellow Dog Linux 3.0
GNU GNU Privacy Guard 1.2
GNU GNU Privacy Guard 1.0.7
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ MandrakeSoft apcupsd 2006.0
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
+ MandrakeSoft Multi Network Firewall 2.0
+ Mandriva Linux Mandrake 9.0
+ Mandriva Linux Mandrake 8.2 ppc
+ Mandriva Linux Mandrake 8.2
+ OpenPKG OpenPKG 1.1
+ Red Hat Enterprise Linux AS 2.1 IA64
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Enterprise Linux ES 2.1 IA64
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1 IA64
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux 8.0 i386
+ RedHat Linux 7.3 i386
+ RedHat Linux 7.2 ia64
+ RedHat Linux 7.2 i386
+ RedHat Linux 7.1 i386
+ RedHat Linux Advanced Work Station 2.1
+ Sun Linux 5.0.5
+ Turbolinux Turbolinux Server 8.0
+ Turbolinux Turbolinux Server 7.0
+ Turbolinux Turbolinux Server 6.5
+ Turbolinux Turbolinux Server 6.1
+ Turbolinux Turbolinux Workstation 8.0
+ Turbolinux Turbolinux Workstation 7.0
+ Turbolinux Turbolinux Workstation 6.0
GNU GNU Privacy Guard 1.0.6
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
GNU GNU Privacy Guard 1.0.5
- Caldera OpenLinux 2.4
- Caldera OpenLinux 2.3
- Caldera OpenLinux eBuilder 3.0
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux 4.2
- Conectiva Linux 4.1
- Conectiva Linux 4.0 es
- Conectiva Linux 4.0
- Conectiva Linux graficas
- Conectiva Linux ecommerce
- Debian Linux 2.2 sparc
- Debian Linux 2.2 powerpc
- Debian Linux 2.2 arm
- Debian Linux 2.2 alpha
- Debian Linux 2.2 68k
- Debian Linux 2.2
- Immunix Immunix OS 7.0 beta
- Immunix Immunix OS 7.0
- Immunix Immunix OS 6.2
- MandrakeSoft Corporate Server 1.0.1
- Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0 ppc
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Red Hat Linux 6.2
- RedHat Linux 7.1 i386
- RedHat Linux 7.1
- RedHat Linux 7.0 i386
- RedHat Linux 7.0 alpha
- RedHat Linux 7.0
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
- S.u.S.E. Linux 7.1
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 6.4
- S.u.S.E. Linux 6.3
- Trustix Secure Linux 1.2
- Trustix Secure Linux 1.1
GNU GNU Privacy Guard 1.0.4
- Turbolinux Turbolinux 6.0.5
- Turbolinux Turbolinux Server 6.5
- Turbolinux Turbolinux Workstation 6.1
GNU GNU Privacy Guard 1.0.3 b
GNU GNU Privacy Guard 1.0.3
GNU GNU Privacy Guard 1.0.2
GNU GNU Privacy Guard 1.0.1
GNU GNU Privacy Guard 1.0 .6
- MandrakeSoft Corporate Server 1.0.1
- Mandriva Linux Mandrake 8.1
- Mandriva Linux Mandrake 8.0 ppc
- Mandriva Linux Mandrake 8.0
- Mandriva Linux Mandrake 7.2
- Mandriva Linux Mandrake 7.1
GNU GNU Privacy Guard 1.0
Gentoo Linux
ALT Linux ALT Linux Junior 2.3
ALT Linux ALT Linux Compact 2.3

- 漏洞讨论

OpenPGP is reported prone to a vulnerability that may theoretically allow attackers to retrieve partial plaintexts from encrypted OpenPGP messages.

It is reported that a proof of concept chosen-ciphertext attack method has been developed that exploits a flaw in OpenPGP to retrieve partial plaintexts from OpenPGP messages encrypted with symmetric encryption. Apparently when messages are encrypted with the CFB mode, a design flaw in an integrity check feature can be exploited.

The attack is also limited in the amount of information that can be disclosed from an encrypted message. Apparently, only partial disclosure of a message is possible.

The OpenPGP standard is reported vulnerable to this issue. It is not known whether PGP or GNU Privacy Guard or other implementations are vulnerable. This BID will be updated when more information becomes available.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.

SUSE has released advisory SUSE-SR:2005:007 to address this issue. Please see the referenced advisory for more information.

Mandrake Linux has released advisory MDKSA-2005:057 along with fixes dealing with this issue. Please see the referenced advisory for more information.

Gentoo has released advisory GLSA 200503-29 to address this issue. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:

emerge --sync
emerge --ask --oneshot --verbose ">=app-crypt/gnupg-1.4.1"

Ubuntu Linux has released security advisory USN-170-1 addressing this issue. Please see the referenced advisory for further information.


GNU GNU Privacy Guard 1.0.7

GNU GNU Privacy Guard 1.2.3

GNU GNU Privacy Guard 1.2.4

S.u.S.E. Linux Personal 8.2

S.u.S.E. Linux Personal 9.0

S.u.S.E. Linux Personal 9.0 x86_64

S.u.S.E. Linux Personal 9.1 x86_64

S.u.S.E. Linux Personal 9.1

S.u.S.E. Linux Personal 9.2

S.u.S.E. Linux Personal 9.2 x86_64

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站