- Home
- CVEs with nessus.description==CVE-2016-6313
Felix Doerre and Vladimir Klebanov from the Karlsruhe Institute of
Technology discovered a flaw in the mixing functions of GnuPG's random
number generator. An attacker who obtains 4640 bits from the RNG can
trivially predict the next 160 bits of output.
A first analysis on the impact of this bug for GnuPG shows
that existing RSA keys are not weakened. For DSA and Elgamal
keys it is also unlikely that the private key can be
predicted from other public information.
Bypassing GnuPG key checking :
Weaknesses have been found in GnuPG signature validation that
attackers could exploit thanks to especially forged public keys and
under specific hardware-software conditions. While the underlying
problem cannot be solved only by software, GnuPG has been
strengthened, avoiding to rely on keyring signature caches when
verifying keys. Potential specific attacks are not valid any more with
the patch of GnuPG
Bypassing GnuPG key checking :
Vrije Universiteit Amsterdam and Katholieke Universteit Leuven
researchers discovered an attack method, known as Flip Feng Shui, that
concerns flaws in GnuPG. Researchers found that under specific
hardware-software conditions, attackers could bypass the GnuPG
signature validation by using forged public keys. While the underlying
problem cannot be solved only by software, GnuPG has been made more
robust to avoid relying on keyring signature caches when verifying
keys.
For Debian 7 'Wheezy', these issues have been addressed in version
1.4.12-7 deb7u8.
We recommend that you upgrade your gnupg packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top