CVE-2024-2236: 
Libgcrypt vulnerability analysis and mitigation

A timing-based side-channel vulnerability (CVE-2024-2236) was discovered in libgcrypt's RSA implementation. The vulnerability was disclosed on March 6, 2024, affecting the libgcrypt cryptographic library. This flaw could potentially allow remote attackers to perform Bleichenbacher-style attacks, leading to the decryption of RSA ciphertexts (NVD, Red Hat).

The vulnerability is classified as a timing discrepancy issue (CWE-208) with a CVSS v3.1 base score of 5.9 (Medium). The attack vector is network-based (AV:N) with high attack complexity (AC:H), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability affects all RSA padding modes including PKCS#1 v1.5, RSA-OAEP, and RSASVE. If successfully exploited, an attacker could potentially decrypt RSA ciphertexts, compromising the confidentiality of encrypted communications (Red Hat Bugzilla).

Red Hat has released security updates to address this vulnerability in Red Hat Enterprise Linux 9 through RHSA-2024:9404. The fixes are available in the Red Hat libgcrypt mirror repository (Red Hat Errata, Red Hat Bugzilla).

The libgcrypt developers have classified this as a low severity issue, as indicated in Ubuntu's security advisory. The vulnerability is being tracked upstream through the GnuPG development portal (Ubuntu).