Timing Vulnerability in Libgcrypt and GnuPG Products
CVE-2015-0837

5.9MEDIUM

Key Information:

Vendor
Gnu
Status
Libgcrypt
Gnupg
Vendor
CVE Published:
29 November 2019

Summary

An issue exists in the mpi_powm function of Libgcrypt and GnuPG that permits attackers to exploit timing discrepancies while accessing a pre-computed table during modular exponentiation. This may lead to the leakage of sensitive information through a Last-Level Cache Side-Channel Attack. The vulnerability affects versions of Libgcrypt prior to 1.6.3 and GnuPG prior to 1.4.19, necessitating awareness and remediation to protect against potential exploitation.

Affected Version(s)

GnuPG before 1.4.19

Libgcrypt before 1.6.3

References

http://www.debian.org/security/2015/dsa-3184
x_refsource_MISC
http://www.debian.org/security/2015/dsa-3185
x_refsource_MISC
https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/0...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.