Google Discloses Severe Bug in Libgcrypt Encryption Library—Impacting Many Projects

  • A “severe” vulnerability in GNU Privacy Guard (GnuPG)’s Libgcrypt encryption application could have permitted an attacker to generate arbitrary info to the target machine, possibly main to remote code execution.

    The flaw, which impacts variation 1.9. of libgcrypt, was found on January 28 by Tavis Ormandy of Venture Zero, a security investigate device within just Google focused to discovering zero-working day bugs in components and program units.

    No other versions of Libgcrypt are afflicted by the vulnerability.

    “There is a heap buffer overflow in libgcrypt because of to an incorrect assumption in the block buffer administration code,” Ormandy stated. “Just decrypting some data can overflow a heap buffer with attacker controlled data, no verification or signature is validated just before the vulnerability occurs.”

    GnuPG addressed the weakness practically instantly in just a day right after disclosure, even though urging end users to end applying the susceptible variation. The latest version can be downloaded below.

    The Libgcrypt library is an open up-source cryptographic toolkit provided as portion of GnuPG program suite to encrypt and sign facts and communications. An implementation of OpenPGP, it truly is utilised for digital security in many Linux distributions these types of as Fedora and Gentoo, though it isn’t as extensively utilised as OpenSSL or LibreSSL.

    In accordance to GnuPG, the bug appears to have been introduced in 1.9. in the course of its progress stage two several years ago as portion of a modify to “decrease overhead on generic hash write function,” but it was only spotted previous week by Google Challenge Zero.

    Hence all an attacker requirements to do to result in this critical flaw is to send the library a block of specially-crafted knowledge to decrypt, therefore tricking the application into working an arbitrary fragment of malicious code embedded in it (aka shellcode) or crash a application (in this circumstance, gpg) that depends on the libgcrypt library.

    “Exploiting this bug is easy and so rapid action for 1.9. users is demanded,” Libgcrypt author Werner Koch noted. “The 1.9. tarballs on our FTP server have been renamed so that scripts will not likely be able to get this edition any more.”

    Discovered this post fascinating? Comply with THN on Facebook, Twitter  and LinkedIn to go through extra distinctive content we publish.