Main Vulnerability Database Vulnerabilities #VU30571

Information disclosure in GnuPG - CVE-2014-3591

Published: November 29, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30571

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2014-3591

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: GNU

Affected software:
GnuPG

Detailed vulnerability description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.

How to mitigate CVE-2014-3591

Install update from vendor's website.

Sources

http://www.cs.tau.ac.il/~tromer/radioexp/
http://www.debian.org/security/2015/dsa-3184
http://www.debian.org/security/2015/dsa-3185
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html

Information disclosure in GnuPG - CVE-2014-3591

Detailed vulnerability description

How to mitigate CVE-2014-3591

Sources

Please verify you're human