Libgcrypt Heap-Based Buffer Overflow Vulnerability in ECDH Decryption

A heap-based buffer overflow vulnerability has been identified in Libgcrypt versions prior to 1.12.2. This vulnerability occurs in the ECDH decryption process when the ciphertext is crafted to include an ephemeral public point that is shorter than expected. The flaw allows an attacker to overwrite adjacent memory with zeros, leading to potential heap metadata corruption and denial-of-service conditions. In certain scenarios, this vulnerability could be exploited to execute arbitrary code.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can corrupt heap metadata. This corruption can be leveraged to cause a denial-of-service by disrupting normal memory management processes. Additionally, according to the CVE author, this vulnerability could be exploited to achieve remote code execution under specific conditions.

Reproduction

The vulnerability can be reproduced by using Libgcrypt versions prior to 1.12.2. First, compile Libgcrypt with AddressSanitizer enabled, which will help detect memory errors. Then, create a small C program that uses the Libgcrypt library to perform ECDH decryption. The program should send a crafted ciphertext that includes a one-byte ephemeral public point, which will trigger the buffer overflow by overwriting 30 bytes of adjacent memory. When this modified ciphertext is decrypted using a Curve25519 private key, the AddressSanitizer will report a heap-buffer-overflow error, indicating that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to Libgcrypt versions 1.12.2, 1.11.3, or 1.10.4 to address this vulnerability. Instructions for downloading these versions are available on the GnuPG website.