Information disclosure in GNU Libgcrypt

1) Information disclosure

EUVDB-ID: #VU32505

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-5270

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Libgcrypt: 1.5.0 - 1.5.3

CPE2.3

• cpe:2.3:a:gnu:libgcrypt:1.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:gnu:libgcrypt:1.5.1:*:*:*:*:*:*:*
• cpe:2.3:a:gnu:libgcrypt:1.5.2:*:*:*:*:*:*:*

External links

https://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
https://openwall.com/lists/oss-security/2014/08/16/2
https://www.cs.tau.ac.il/~tromer/handsoff/
https://www.debian.org/security/2014/dsa-3024
https://www.debian.org/security/2014/dsa-3073

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.