Libgcrypt weak encryption in Oracle products - CVE-2016-6313
Published: August 18, 2016 / Updated: January 11, 2017
Vulnerability identifier: #VU327
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6313
CWE-ID: CWE-330
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: GNU
Oracle
Oracle
Affected software:
Libgcrypt
Oracle VM Server for x86
Oracle Linux
Libgcrypt
Oracle VM Server for x86
Oracle Linux
Detailed vulnerability description
The vulnerability allows a local user to decrypt data.
The vulnerability exists in the Libgcrypt library due to weak implementation of random number generator. A local user, who can obtain 4640 bits from random generator, can predict the next 160 bits of output.
Successful exploitation of this vulnerability may result in generation of weak encryption keys and may lead to sensitive information disclosure.
How to mitigate CVE-2016-6313
Install the latest version of the library: 1.5.6, 1.6.6 or 1.7.3.