Information disclosure in Libgcrypt - CVE-2014-5270
Published: October 10, 2014 / Updated: July 28, 2020
Vulnerability identifier: #VU32505
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2014-5270
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: GNU
Affected software:
Libgcrypt
Libgcrypt
Detailed vulnerability description
The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
How to mitigate CVE-2014-5270
Install update from vendor's website.