#VU7276 Side-channel attack in Libgcrypt


Published: 2017-06-30 | Updated: 2017-06-30

Vulnerability identifier: #VU7276

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-7526

CWE-ID: CWE-310

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libgcrypt
Client/Desktop applications / Encryption software

Vendor: GNU

Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists in libgcrypt's RSA-1024 implementation using left-to-right method for computing the sliding-window expansion. A remote attacker can perform side-channel attack and gain access to potentially sensitive information. 

Mitigation
Update libgcrypt to version 1.7.8.

Vulnerable software versions

Libgcrypt: 1.7.0 - 1.7.7

CPE

External links
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7526
http://lists.gnupg.org/pipermail/gnupg-announce/2017q2/000408.html

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Debian update for gnupg
Ubuntu update for Libgcrypt
Side-channel attack in libgcrypt (Alpine package)
Ubuntu update for Libgcrypt
Arch Linux update for libgcrypt
Debian update for libgcrypt20
Slackware Linux update for libgcrypt
Side-channel attack in Libcrypt