Side-Channel Attack Vulnerability in Libgcrypt Affects Multiple Platforms
CVE-2017-7526

6.1MEDIUM

Key Information:

Vendor

Gnupg

Status
Libgcrypt
Vendor
CVE Published:
26 July 2018

What is CVE-2017-7526?

Libgcrypt versions earlier than 1.7.8 are subject to a critical vulnerability that enables a cache side-channel attack, which can potentially lead to the exposure of private RSA keys. This attack takes advantage of the left-to-right computation method used for sliding-window expansion, posing a significant security risk especially on systems where an attacker can execute arbitrary code. Although primarily affecting RSA-1024 keys, the same technique may also compromise RSA-2048 keys with increased effort. It is imperative for users of libgcrypt to update to version 1.7.8 or later to ensure protection against this vulnerability.

Affected Version(s)

libgcrypt 1.7.8

References

https://usn.ubuntu.com/3733-1/
vendor-advisoryx_refsource_UBUNTU
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7526
x_refsource_CONFIRM
http://www.securitytracker.com/id/1038915
vdb-entryx_refsource_SECTRACK

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

CVSS V3.0

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.