SB2016042002 - Information disclosure in GNU Libgcrypt
Published: April 20, 2016 Updated: July 28, 2020
Security Bulletin ID
SB2016042002
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Physical access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Information disclosure (CVE-ID: CVE-2015-7511)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.
Remediation
Install update from vendor's website.
References
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00027.html
- http://www.cs.tau.ac.IL/~tromer/ecdh/
- http://www.debian.org/security/2016/dsa-3474
- http://www.debian.org/security/2016/dsa-3478
- http://www.securityfocus.com/bid/83253
- http://www.ubuntu.com/usn/USN-2896-1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2IL4PAEICHGA2XMQYRY3MIWHM4GMPAG/
- https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html
- https://security.gentoo.org/glsa/201610-04