CVE-2015-0837

Vulnerability

The mpi_powm function in Libgcrypt before version 1.6.3 and GnuPG before version 1.4.19 is vulnerable to a last-level cache (LLC) side-channel attack. The vulnerability arises because the modular exponentiation routine accesses a pre-computed table in a data-dependent pattern, allowing an attacker sharing the same CPU cache to infer secret key bits [1][2][3].

Exploitation

An attacker needs to be co-located on the same physical machine as the victim, able to run unprivileged code that can monitor LLC eviction sets or Prime+Probe timing differences. The core sequence involves performing a cache side-channel attack (e.g., LLC Prime+Probe) while the victim process executes mpi_powm on a secret RSA private key, then statistically analyzing the observed cache access patterns to recover key digits [3].

Impact

Successful exploitation allows the attacker to recover the RSA private key used during the modular exponentiation operation, leading to a complete breach of confidentiality for encrypted communications and digital signatures. The attack does not require any special privileges beyond the ability to execute code on the same hardware [3].

Mitigation

The fix is included in Libgcrypt 1.6.3 and GnuPG 1.4.19, both released on 2015-02-27 [1][2]. The update uses timing-invariant code paths to eliminate data-dependent cache accesses. Users of GnuPG 2.0 or 2.1 must update the shared Libgcrypt library to version 1.6.3; users of GnuPG classic can upgrade to 1.4.19 directly [1]. No workaround is available for unpatched installations.