Main Vulnerability Database Vulnerabilities #VU30571

#VU30571 Information disclosure in GnuPG - CVE-2014-3591

Published: November 29, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30571

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2014-3591

CWE-ID: CWE-200

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
GnuPG

Software vendor:
GNU

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.

Remediation

Install update from vendor's website.

External links

http://www.cs.tau.ac.il/~tromer/radioexp/
http://www.debian.org/security/2015/dsa-3184
http://www.debian.org/security/2015/dsa-3185
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html

#VU30571 Information disclosure in GnuPG - CVE-2014-3591

Description

Remediation

External links

Please verify you're human