#VU32638 Information disclosure in Libgcrypt - CVE-2013-4242

Vulnerability identifier: #VU32638

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-4242

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Libgcrypt
Client/Desktop applications / Encryption software

Vendor: GNU

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Libgcrypt: 1.4.0 - 1.5.2

---

External links
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717880
https://eprint.iacr.org/2013/448
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
https://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
https://lists.opensuse.org/opensuse-updates/2013-08/msg00003.html
https://rhn.redhat.com/errata/RHSA-2013-1457.html
https://secunia.com/advisories/54318
https://secunia.com/advisories/54321
https://secunia.com/advisories/54332
https://secunia.com/advisories/54375
https://www.debian.org/security/2013/dsa-2730
https://www.debian.org/security/2013/dsa-2731
https://www.kb.cert.org/vuls/id/976534
https://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
https://www.securityfocus.com/bid/61464
https://www.ubuntu.com/usn/USN-1923-1

---

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.