Overview
Gnu Privacy Guard (GnuPG) is a cryptographic utility used to generate cryptographic keys and perform other cryptographic functions. A vulnerability in the way GnuPG generates ElGamal keys has been discovered. This vulnerability renders ElGamal signing key untrustworthy.
Description
A vulnerability in the algorithm to generate ElGamal sign+encrypt keys can permit an attacker to generate valid signatures without access to the private key. This vulnerability does not affect encrypt-only (type 16) ElGamal keys, only the ElGamal sign+encrypt key (type 20) when used to make a signature with a GnuPG version 1.0.2 or later. |
Impact
A remote attacker can generate a valid signature without access to the private key. |
Solution
Revoke your ElGamal signing keys. GnuPG has released a patch for version 1.2.3 or you can upgrade to version 1.2.4 or later. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
Thanks to Werner Koch for his advisory on this issue, and Phong Nguyen for reporting this vulnerability.
This document was written by Jason A Rafail.
Other Information
| CVE IDs: | CVE-2003-0971 |
| Severity Metric: | 6.33 |
| Date Public: | 2003-11-27 |
| Date First Published: | 2003-12-29 |
| Date Last Updated: | 2003-12-29 15:52 UTC |
| Document Revision: | 7 |