#VU32337 Information disclosure in Libgcrypt - CVE-2015-7511

Cybersecurity Help s.r.o.

Published: 2016-04-20 | Updated: 2020-07-28

Vulnerability identifier: #VU32337

Vulnerability risk: Low

CVSSv4.0: 0.1 [CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-7511

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Libgcrypt
Client/Desktop applications / Encryption software

Vendor: GNU

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Libgcrypt: 1.6.0 - 1.6.4

External links
https://lists.opensuse.org/opensuse-updates/2016-05/msg00027.html
https://www.cs.tau.ac.IL/~tromer/ecdh/
https://www.debian.org/security/2016/dsa-3474
https://www.debian.org/security/2016/dsa-3478
https://www.securityfocus.com/bid/83253
https://www.ubuntu.com/usn/USN-2896-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2IL4PAEICHGA2XMQYRY3MIWHM4GMPAG/
https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html
https://security.gentoo.org/glsa/201610-04

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 23 update for libgcrypt

Fedora 24 update for libgcrypt

Information disclosure in GNU Libgcrypt

Slackware Linux update for libgcrypt

Information disclosure in libgcrypt (Alpine package)