CVE-2021-40530: 
Linux Debian vulnerability analysis and mitigation

The ElGamal implementation in Crypto++ through 8.5 allows plaintext recovery due to a vulnerability in the interaction between two cryptographic libraries. The issue (CVE-2021-40530) was discovered in September 2021 and affects the way certain combinations of parameters - including the prime defined by the receiver's public key, the generator defined by the receiver's public key, and the sender's ephemeral exponents - can lead to a cross-configuration attack against OpenPGP (CVE Details, IBM Research).

The vulnerability stems from dangerous combinations of ElGamal parameters in cross-library interactions. When certain configurations of prime modulus, group generator, and short ephemeral exponents are used together, it enables plaintext recovery attacks. The attack specifically targets scenarios where one library acts as a sender and another as a receiver with specific mathematical properties in their public keys. The vulnerability is particularly severe when GPG (Libgcrypt) or Crypto++ act as senders to certain types of receiver keys (IBM Research).

The vulnerability allows attackers to recover encrypted plaintexts when specific combinations of sender and receiver software are used. In some cases, the attack can be executed in just a few hours on commodity hardware. While the total number of affected registered public keys is relatively small (around 2,132), the actual impact could be larger due to unregistered keys (IBM Research).

The vulnerability was addressed in Crypto++ version 8.6.0. Users are advised to update to this version or later. For Fedora users, security updates were released for versions 33, 34, and 35 to address this vulnerability (Fedora Update).