CVE-2014-3591
Published: 31 December 2014
Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.
Priority
Status
Package | Release | Status |
---|---|---|
gnupg Launchpad, Ubuntu, Debian |
lucid |
Released
(1.4.10-2ubuntu1.8)
|
precise |
Released
(1.4.11-3ubuntu2.9)
|
|
trusty |
Released
(1.4.16-1ubuntu2.3)
|
|
upstream |
Released
(1.4.18-7)
|
|
utopic |
Released
(1.4.16-1.2ubuntu1.2)
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=ff53cf06e966dce0daba5f2c84e03ab9db2c3c8b |
||
libgcrypt11 Launchpad, Ubuntu, Debian |
lucid |
Released
(1.4.4-5ubuntu2.4)
|
precise |
Released
(1.5.0-3ubuntu0.4)
|
|
trusty |
Released
(1.5.3-2ubuntu4.2)
|
|
upstream |
Needed
|
|
utopic |
Released
(1.5.4-2ubuntu1.1)
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=35cd81f134c0da4e7e6fcfe40d270ee1251f52c2 |
||
libgcrypt20 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Released
(1.6.1-2ubuntu1.14.04.1)
|
|
upstream |
Released
(1.6.3-2)
|
|
utopic |
Released
(1.6.1-2ubuntu1.14.10.1)
|
|
Patches: upstream: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=d482948ac41768c36c5352a513fca8c50d2da4db |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 4.2 |
Attack vector | Physical |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- http://www.cs.tau.ac.il/~tromer/radioexp/
- https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000363.html
- https://lists.gnupg.org/pipermail/gnupg-announce/2015q1/000364.html
- https://ubuntu.com/security/notices/USN-2554-1
- https://ubuntu.com/security/notices/USN-2555-1
- https://www.cve.org/CVERecord?id=CVE-2014-3591
- NVD
- Launchpad
- Debian