#VU327 Libgcrypt weak encryption in Oracle products - CVE-2016-6313
Published: August 18, 2016 / Updated: January 11, 2017
Vulnerability identifier: #VU327
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-6313
CWE-ID: CWE-330
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Libgcrypt
Oracle VM Server for x86
Oracle Linux
Libgcrypt
Oracle VM Server for x86
Oracle Linux
Software vendor:
GNU
Oracle
GNU
Oracle
Description
The vulnerability allows a local user to decrypt data.
The vulnerability exists in the Libgcrypt library due to weak implementation of random number generator. A local user, who can obtain 4640 bits from random generator, can predict the next 160 bits of output.
Successful exploitation of this vulnerability may result in generation of weak encryption keys and may lead to sensitive information disclosure.
Remediation
Install the latest version of the library: 1.5.6, 1.6.6 or 1.7.3.