Information disclosure in GNU Libgcrypt
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Information disclosure
EUVDB-ID: #VU32638
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2013-4242
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.
MitigationInstall update from vendor's website.
Vulnerable software versionsLibgcrypt: 1.4.0 - 1.5.2
CPE2.3- cpe:2.3:a:gnu:libgcrypt:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:libgcrypt:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnu:libgcrypt:1.4.2:*:*:*:*:*:*:*
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717880
https://eprint.iacr.org/2013/448
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
https://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
https://lists.opensuse.org/opensuse-updates/2013-08/msg00003.html
https://rhn.redhat.com/errata/RHSA-2013-1457.html
https://secunia.com/advisories/54318
https://secunia.com/advisories/54321
https://secunia.com/advisories/54332
https://secunia.com/advisories/54375
https://www.debian.org/security/2013/dsa-2730
https://www.debian.org/security/2013/dsa-2731
https://www.kb.cert.org/vuls/id/976534
https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://www.securityfocus.com/bid/61464
https://www.ubuntu.com/usn/USN-1923-1
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
