Libgcrypt weak encryption in libgcrypt (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2016-6313 |
| CWE-ID | CWE-330 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
IBM Tivoli Storage Manager Server applications / File servers (FTP/HTTP) libgcrypt (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor |
IBM Corporation Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Libgcrypt weak encryption
EUVDB-ID: #VU327
Risk: Low
CVSSv4.0: 0.4 [CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-6313
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a local user to decrypt data.
The vulnerability exists in the Libgcrypt library due to weak implementation of random number generator. A local user, who can obtain 4640 bits from random generator, can predict the next 160 bits of output.
Successful exploitation of this vulnerability may result in generation of weak encryption keys and may lead to sensitive information disclosure.
Mitigation
Install update from vendor's website.
Vulnerable software versionsIBM Tivoli Storage Manager: 5.4.3.0
libgcrypt (Alpine package): 2.8.3
libgcrypt (Alpine package): 3.2.0-1
libgcrypt (Alpine package): 0.2.8-0ubuntu1
libgcrypt (Alpine package): 0.1.17 - 0.1.17.1
libgcrypt (Alpine package): 1.17.0
libgcrypt (Alpine package): 20101020ubuntu334 - 20101020ubuntu335
libgcrypt (Alpine package): 1.5.3-2.15
libgcrypt (Alpine package): 11ubuntu2
libgcrypt (Alpine package): 3.0pl1-124ubuntu2
libgcrypt (Alpine package): 8.13-3.2ubuntu2 - 8.13-3.2ubuntu3
libgcrypt (Alpine package): 0.4.1-4
libgcrypt (Alpine package): 1.23
libgcrypt (Alpine package): 1:0.8.6-0ubuntu2
libgcrypt (Alpine package): 0.4.1-2
libgcrypt (Alpine package): 2.8.12.1-1.3
libgcrypt (Alpine package): 0.21ubuntu1
libgcrypt (Alpine package):
libgcrypt (Alpine package): before 1.6.6-r0
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_tivoli_storage_manager:5.4.3.0:*:*:*:*:*:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:2.8.3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:3.2.0-1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.2.8-0ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.1.17:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.1.17.1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1.17.0:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:20101020ubuntu334:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:20101020ubuntu335:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1.5.3-2.15:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:11ubuntu2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:3.0pl1-124ubuntu2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:8.13-3.2ubuntu2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.4.1-4:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1.23:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:1:0.8.6-0ubuntu2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.4.1-2:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:2.8.12.1-1.3:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:0.21ubuntu1:*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package::*:*:*:*:alpine_linux:*:*
- cpe:2.3:o:alpine:libgcrypt_alpine_package:*:*:*:*:*:alpine_linux:*:3.1
https://git.alpinelinux.org/aports/commit/?id=9ea2c6c30d27121c96723c408cee88ddb95fa854
https://git.alpinelinux.org/aports/commit/?id=3c51ea511304dac78861cdff6e0b78c9b8dd232e
https://git.alpinelinux.org/aports/commit/?id=5291d113b5686fe22d594deab29c6786dd7b463d
https://git.alpinelinux.org/aports/commit/?id=bd5fae04f0f059aea5dfd29f96b3ffa295e2120d
https://git.alpinelinux.org/aports/commit/?id=6981f37bfa3f54bd40a6785737ab10d97d2c2f28
https://git.alpinelinux.org/aports/commit/?id=0fd89f564d04e956a00fcd0ccff6d3047030184e
https://git.alpinelinux.org/aports/commit/?id=4aaa54a0a42e844dacf0e78e18df7103ec1f213f
https://git.alpinelinux.org/aports/commit/?id=9b640586aa7f6ccbc87acc2f8681b168e9748d49
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
