parcimonie (0.6 to 0.8, included) possible correlation between key fetches

2014.02.10
Credit: Holger Levsen
Risk: Low
Local: No
Remote: Yes
CWE: CWE-362


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hi, Holger Levsen <holger () layer-acht org> discovered that parcimonie [1], a privacy-friendly helper to refresh a GnuPG keyring, before version 0.8.1, is affected by a design problem that undermines the usefulness of this piece of software, in the intended threat model. I am upstream for parcimonie, and I maintain it in Debian. Type of the vulnerability: information disclosure. Description: when using parcimonie with a large keyring (1000 public keys or more), it would always sleep exactly 10 minutes between two key fetches. This is likely to be fingerprintable by an adversary who can watch enough key fetches, who can then correlate multiple key fetches with each other, which is the exact situation that parcimonie aims at protecting against. It happens that such an adversary is part of the threat model parcimonie is meant to cope with. This problem is slightly mitigated by the fact that most users likely use a HKP(s) pool as their configured GnuPG keyserver (so their successive requests have good chances to be sent to different keyservers), and the fact that each key fetch is done using a different Tor circuit. Upstream bugfix: commit 8931fdcf868c37e2e8d44324d5514d235a6d5c89 in git://gaffer.ptitcanardnoir.org/App-Parcimonie.git Versions affected: from parcimonie 0.6 to 0.8, included. Fixed in parcimonie 0.8.1. This problem was made public in Debian bug #738134 [2], and was described in details in the commit message for the upstream bugfix. Could you please allocated a CVE id for this? References: [1] http://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/ [2] https://bugs.debian.org/738134 Cheers, -- intrigeri

References:

http://gaffer.ptitcanardnoir.org/intrigeri/code/parcimonie/
https://bugs.debian.org/738134
http://seclists.org/oss-sec/2014/q1/305


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top