CVE-2019-13627

Vulnerability

CVE-2019-13627 is an ECDSA timing side-channel vulnerability in the libgcrypt cryptographic library (versions 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4). During scalar multiplication on an elliptic curve, the implementation leaks the bit-length of the scalar (the random nonce used in ECDSA signature generation). This leakage, though seemingly minor, allows an attacker to glean enough information about the nonce to recover the long-term private key via lattice techniques [1][2].

Exploitation

An attacker must be able to observe a sufficient number of ECDSA signatures on known messages generated using the same libgcrypt instance. This can be achieved by a network-based attacker who collects signatures from a remote server or via a local attacker on a shared system. The attack requires no authentication or user interaction beyond normal signature generation. With 500–2100 signatures (depending on the specific implementation), the attacker can apply lattice-based cryptanalysis to recover the full private key [1]. The original Minerva paper demonstrated practical key recovery using an off-the-shelf smart card reader and a standard laptop, with total runtime of about 30 minutes including signature collection [1].

Impact

Successful exploitation allows complete recovery of the ECDSA private key [1][2]. This gives the attacker the same signing capability as the legitimate key holder, enabling forgery of signatures, impersonation, man-in-the-middle attacks on protocols relying on ECDSA authentication, and decryption of past communications if the key was used for key exchange. The confidentiality and integrity of any system relying on that ECDSA key are fully compromised.

Mitigation

The vulnerability is fixed in libgcrypt versions 1.8.5 (released October 2019) and 1.6.3-2+deb8u7 [3][4]. Ubuntu users should update to the packages provided in USN-4236-3 [3]. No workaround is available other than upgrading to a patched version or replacing the affected libgcrypt instance with a non-vulnerable implementation. Older EOL distributions that include libgcrypt 1.8.4 or earlier must upgrade the library or migrate to a supported distribution.