-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability CVE-2021-40528 in Libgcrypt's ElGamal implementation allowed plaintext recovery due to the use of a small ephemeral exponent ('k') during encryption. I analyzed the provided commit patch (3462280f2e23e16adf3ed5176e0f2413d8861320) which fixes this issue. The patch modifies cipher/elgamal.c.
gen_k previously had a parameter small_k. If small_k was true, it generated an ephemeral key k with a reduced number of bits. The patch removes this parameter and the associated logic, ensuring k is always generated with the original number of bits. This function was vulnerable because it could produce an insecurely small key.do_encrypt, which performs the ElGamal encryption, previously called gen_k with small_k=1, explicitly requesting the smaller, vulnerable key. The patch changes this call to remove the small_k argument, aligning with the updated gen_k signature. This function was vulnerable because it initiated the use of the insecure small key.
The commit message explicitly states the fix involves removing support for 'smaller K' in gen_k and ensuring do_encrypt never uses it. Both functions would appear in a runtime profile during an exploit: do_encrypt would be the main encryption routine, and it would call gen_k to generate the ephemeral key. The vulnerability is triggered when do_encrypt calls gen_k in a way that results in a small ephemeral exponent.