#VU7276 Side-channel attack in Libgcrypt - CVE-2017-7526


| Updated: 2017-06-30

Vulnerability identifier: #VU7276

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-7526

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libgcrypt
Client/Desktop applications / Encryption software

Vendor: GNU

Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in libgcrypt's RSA-1024 implementation using left-to-right method for computing the sliding-window expansion. A remote attacker can perform side-channel attack and gain access to potentially sensitive information. 

Mitigation
Update libgcrypt to version 1.7.8.

Vulnerable software versions

Libgcrypt: 1.7.0 - 1.7.7

External links
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7526
https://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for gnupg
Ubuntu update for Libgcrypt
Side-channel attack in libgcrypt (Alpine package)
Ubuntu update for Libgcrypt
Arch Linux update for libgcrypt
Debian update for libgcrypt20
Slackware Linux update for libgcrypt
Side-channel attack in Libcrypt