CVE-2014-5270

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html	Patch Vendor Advisory
http://openwall.com/lists/oss-security/2014/08/16/2	Mailing List Third Party Advisory
http://www.cs.tau.ac.il/~tromer/handsoff/	Technical Description
http://www.debian.org/security/2014/dsa-3024
http://www.debian.org/security/2014/dsa-3073	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gnupg:libgcrypt::::::::
	cpe:2.3:a:gnupg:libgcrypt:1.4.0:::::::*
	cpe:2.3:a:gnupg:libgcrypt:1.4.3:::::::*
	cpe:2.3:a:gnupg:libgcrypt:1.4.4:::::::*
	cpe:2.3:a:gnupg:libgcrypt:1.4.5:::::::*
	cpe:2.3:a:gnupg:libgcrypt:1.4.6:::::::*
	cpe:2.3:a:gnupg:libgcrypt:1.5.0:::::::*
	cpe:2.3:a:gnupg:libgcrypt:1.5.1:::::::*
	cpe:2.3:a:gnupg:libgcrypt:1.5.2:::::::*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2014-10-10 01:55

Updated : 2023-12-10 11:31

NVD link : CVE-2014-5270

Mitre link : CVE-2014-5270

CVE.ORG link : CVE-2014-5270

JSON object : View

Products Affected

gnupg

libgcrypt

debian

debian_linux

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2014-5270", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2014-10-10T01:55:10.383", "references": [{"url": "http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "http://openwall.com/lists/oss-security/2014/08/16/2", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://www.cs.tau.ac.il/~tromer/handsoff/", "tags": ["Technical Description"], "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2014/dsa-3024", "source": "cve@mitre.org"}, {"url": "http://www.debian.org/security/2014/dsa-3073", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576."}, {"lang": "es", "value": "Libgcrypt anterior a 1.5.4, utilizado en GnuPG y otros productos, no realiza debidamente la normalizaci\u00f3n y aleatorizaci\u00f3n de texto cifrado, lo que facilita a atacantes f\u00edsicamente pr\u00f3ximos realizar ataques de extracci\u00f3n de claves mediante el aprovechamiento de la habilidad de recoger datos de voltaje del metal expuesto, un vector deferente a CVE-2013-4576."}], "lastModified": "2017-11-04T01:29:01.223", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B83822B-BC72-455D-A350-7DC9545E14A9", "versionEndIncluding": "1.5.3"}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7AE9E5CD-F6F8-4208-ACD2-5E2E88660A01"}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "128317AB-E441-47E3-BE5C-86C0D9C267E1"}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.4.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5C7509E7-9DF3-42AC-A538-A1BE675253BF"}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.4.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FAFA68DC-FFA3-4538-8082-93588CCB44D7"}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.4.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FEEF3D2-57D5-4E33-8856-B7A859ADD453"}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73E283C1-F1AE-4D29-A683-B5C5503133EC"}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.5.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7AEF669-B7AA-425A-988A-9F858937EC76"}, {"criteria": "cpe:2.3:a:gnupg:libgcrypt:1.5.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "67D0DD4C-9A2C-4B41-BA83-E7492EF8D434"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}