CVE-2014-5270
low
CVSS v3
—
CVSS v2
2.1
VIR risk
2.1
Description
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-5270
Vendor advisory: cve@mitre.org — http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1.6.0-2 |
| debian | bullseye | fixed | 1.6.0-2 |
| debian | forky | fixed | 1.6.0-2 |
| debian | sid | fixed | 1.6.0-2 |
| debian | trixie | fixed | 1.6.0-2 |
| debian | 7.0 | affected | |
References
- http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
- http://openwall.com/lists/oss-security/2014/08/16/2
- http://www.cs.tau.ac.il/~tromer/handsoff/
- http://www.debian.org/security/2014/dsa-3024
- http://www.debian.org/security/2014/dsa-3073
- https://security-tracker.debian.org/tracker/CVE-2014-5270
CWEs
CWE-200
Verify integrity in audit chain (admin only). AS-IS.