OSVDB ID: 13775 Title: OpenPGP CFB Module Quick Check Feature Information Disclosure |
Info |
|
|
Dates |
||||
|
|
Description |
OpenPGP protocol contains a flaw that may allow a malicious user to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed. The issue is triggered when handling a message that was encrypted using cipher feedback (CFB) mode. It is possible that the flaw may result in a loss of confidentiality. |
Classification |
Location:
Remote / Network Access
Attack Type: Cryptographic, Information Disclosure Impact: Loss of Confidentiality Exploit: Exploit Unknown Disclosure: OSVDB Verified, Vendor Verified |
Solution |
Upgrade to GNU Privacy Guard version 1.4.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. Other vendors of OpenPGP-based products (PGP Corporation, and Hush Communications) plan to disable the quick check feature for all public key-encrypted messages and files until the vulnerability can be fully addressed by modifying the OpenPGP standard. |
Products |
|
References |
|
Credit |
|
entrust.com - Entrust, Inc.