Cryptographic issues in libgcrypt (Alpine package)

Published: 2019-08-29

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2019-13627
CWE-ID	CWE-310
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	IBM Tivoli Storage Manager Server applications / File servers (FTP/HTTP) libgcrypt (Alpine package) Operating systems & Components / Operating system package or component
Vendor	IBM Corporation Alpine Linux Development Team

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cryptographic issues

EUVDB-ID: #VU24721

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-13627

CWE-ID: CWE-310 - Cryptographic Issues

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform timing attack.

The vulnerability exists due to an error within the libgcrypt20 cryptographic library. A remote attacker can perform ECDSA timing attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Tivoli Storage Manager: 5.4.3.0

libgcrypt (Alpine package): 0.10.3 - 0.10.4

libgcrypt (Alpine package): 20070206-1

libgcrypt (Alpine package): 0.9a-20010527-1

libgcrypt (Alpine package): 2.8.3 - 2.10.26ubuntu14

libgcrypt (Alpine package): 0.2.8-0ubuntu1

libgcrypt (Alpine package): 0.1.9 - 1.5.58

libgcrypt (Alpine package): 1.6.18-0ubuntu4.1 - 1.9.12-1

libgcrypt (Alpine package): 0.94-1

libgcrypt (Alpine package): 0.4.4

libgcrypt (Alpine package): 0.4-0ubuntu2 - 0.7.5-1

libgcrypt (Alpine package): 2.0rc1-4 - 2.0rc1-5

libgcrypt (Alpine package): 7.12.0.is.7.11.2-1 - 7.37.1-1ubuntu3.2

libgcrypt (Alpine package): 1.5.3-2.14 - 1.5.3-2.15

libgcrypt (Alpine package): 0.2.4-0ubuntu2 - 0.2.4-0ubuntu3

libgcrypt (Alpine package): 1.0.70-2

libgcrypt (Alpine package): 11ubuntu2

libgcrypt (Alpine package): 3.0pl1-124ubuntu2

libgcrypt (Alpine package): 2.7-10 - 2.7-11

libgcrypt (Alpine package): 8.13-3.2ubuntu2 - 8.13-3.2ubuntu3

libgcrypt (Alpine package): 0.4.1-4

libgcrypt (Alpine package): 4.6

libgcrypt (Alpine package): 6.3.3-2

libgcrypt (Alpine package): 6.4

libgcrypt (Alpine package): 9.0.14

libgcrypt (Alpine package): 1.4.0a2

libgcrypt (Alpine package): 9.5

libgcrypt (Alpine package): before 1.8.3-r2

CPE2.3

External links

https://git.alpinelinux.org/aports/commit/?id=1c4658e647d8946733688266ebe9784f71859fb6
https://git.alpinelinux.org/aports/commit/?id=ccc5650a362772557233ed732836c17e9f2524e7
https://git.alpinelinux.org/aports/commit/?id=4edee7eef800091770a3def2296f36d9f9b8778d
https://git.alpinelinux.org/aports/commit/?id=a8034aa3511680d7996e46d4cb0656d4d32df01d
https://git.alpinelinux.org/aports/commit/?id=f9cd8fbac76e354ca5b9d415cd4992375389bb31

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.