Amazon Linux AMI update for libgcrypt

1) Credentials management

EUVDB-ID: #VU42223

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2013-4576

CWE-ID: CWE-255 - Credentials Management

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

GnuPG 1.x before 1.4.16 generates RSA keys using sequences of introductions with certain patterns that introduce a side channel, which allows physically proximate attackers to extract RSA keys via a chosen-ciphertext attack and acoustic cryptanalysis during decryption. NOTE: applications are not typically expected to protect themselves from acoustic side-channel attacks, since this is arguably the responsibility of the physical device. Accordingly, issues of this type would not normally receive a CVE identifier. However, for this issue, the developer has specified a security policy in which GnuPG should offer side-channel resistance, and developer-specified security-policy violations are within the scope of CVE.

Mitigation

Update the affected packages:

i686:
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686
    libgcrypt-devel-1.5.3-12.18.amzn1.i686
    libgcrypt-1.5.3-12.18.amzn1.i686

src:
    libgcrypt-1.5.3-12.18.amzn1.src

x86_64:
    libgcrypt-devel-1.5.3-12.18.amzn1.x86_64
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64
    libgcrypt-1.5.3-12.18.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2015-577.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU30571

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-3591

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.

Mitigation

Update the affected packages:

i686:
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686
    libgcrypt-devel-1.5.3-12.18.amzn1.i686
    libgcrypt-1.5.3-12.18.amzn1.i686

src:
    libgcrypt-1.5.3-12.18.amzn1.src

x86_64:
    libgcrypt-devel-1.5.3-12.18.amzn1.x86_64
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64
    libgcrypt-1.5.3-12.18.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2015-577.html

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU32505

Risk: Low

CVSSv3.1: 3.5 [CVSS:3.1/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-5270

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.

Mitigation

Update the affected packages:

i686:
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686
    libgcrypt-devel-1.5.3-12.18.amzn1.i686
    libgcrypt-1.5.3-12.18.amzn1.i686

src:
    libgcrypt-1.5.3-12.18.amzn1.src

x86_64:
    libgcrypt-devel-1.5.3-12.18.amzn1.x86_64
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64
    libgcrypt-1.5.3-12.18.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2015-577.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU33822

Risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-0837

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a "Last-Level Cache Side-Channel Attack."

Mitigation

Update the affected packages:

i686:
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.i686
    libgcrypt-devel-1.5.3-12.18.amzn1.i686
    libgcrypt-1.5.3-12.18.amzn1.i686

src:
    libgcrypt-1.5.3-12.18.amzn1.src

x86_64:
    libgcrypt-devel-1.5.3-12.18.amzn1.x86_64
    libgcrypt-debuginfo-1.5.3-12.18.amzn1.x86_64
    libgcrypt-1.5.3-12.18.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2015-577.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.