Executive Summary
Summary | |
---|---|
Title | libgcrypt security update |
Informations | |||
---|---|---|---|
Name | RHSA-2013:1457 | First vendor Publication | 2013-10-24 |
Vendor | RedHat | Last vendor Modification | 2013-10-24 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 1.9 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 3.4 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An updated libgcrypt package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 3. Description: The libgcrypt library provides general-purpose implementations of various cryptographic algorithms. It was found that GnuPG was vulnerable to the Yarom/Falkner flush+reload cache side-channel attack on the RSA secret exponent. An attacker able to execute a process on the logical CPU that shared the L3 cache with the GnuPG process (such as a different local user or a user of a KVM guest running on the same host with the kernel same-page merging functionality enabled) could possibly use this flaw to obtain portions of the RSA secret key. (CVE-2013-4242) All libgcrypt users are advised to upgrade to this updated package, which contains a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (http://bugzilla.redhat.com/): 988589 - CVE-2013-4242 GnuPG susceptible to Yarom/Falkner flush+reload cache side-channel attack |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2013-1457.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17876 | |||
Oval ID: | oval:org.mitre.oval:def:17876 | ||
Title: | USN-1923-1 -- gnupg, libgcrypt11 vulnerability | ||
Description: | GnuPG and Libgcrypt could be made to expose sensitive information. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1923-1 CVE-2013-4242 | Version: | 7 |
Platform(s): | Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | gnupg libgcrypt11 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18882 | |||
Oval ID: | oval:org.mitre.oval:def:18882 | ||
Title: | DSA-2730-1 gnupg - information leak | ||
Description: | Yarom and Falkner discovered that RSA secret keys could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2730-1 CVE-2013-4242 | Version: | 8 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | gnupg |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18887 | |||
Oval ID: | oval:org.mitre.oval:def:18887 | ||
Title: | DSA-2731-1 libgcrypt11 - information leak | ||
Description: | Yarom and Falkner discovered that RSA secret keys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2731-1 CVE-2013-4242 | Version: | 8 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | libgcrypt11 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21277 | |||
Oval ID: | oval:org.mitre.oval:def:21277 | ||
Title: | RHSA-2013:1457: libgcrypt security update (Moderate) | ||
Description: | GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1457-00 CESA-2013:1457 CVE-2013-4242 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | libgcrypt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23444 | |||
Oval ID: | oval:org.mitre.oval:def:23444 | ||
Title: | DEPRECATED: ELSA-2013:1457: libgcrypt security update (Moderate) | ||
Description: | GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1457-00 CVE-2013-4242 | Version: | 7 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libgcrypt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24005 | |||
Oval ID: | oval:org.mitre.oval:def:24005 | ||
Title: | ELSA-2013:1457: libgcrypt security update (Moderate) | ||
Description: | GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1457-00 CVE-2013-4242 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libgcrypt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25331 | |||
Oval ID: | oval:org.mitre.oval:def:25331 | ||
Title: | SUSE-SU-2014:0704-1 -- Security update for libgcrypt | ||
Description: | libgcrypt has been updated to fix a cryptographic weakness. * CVE-2013-4242: libgcrypt was affected by the Yarom/Falkner flush+reload side-channel attach on RSA secret keys, that could have potentially leaked the key data to attackers on the same machine. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0704-1 CVE-2013-4242 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | libgcrypt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25485 | |||
Oval ID: | oval:org.mitre.oval:def:25485 | ||
Title: | SUSE-SU-2013:1352-1 -- Security update for libgcrypt | ||
Description: | This update of libgcrypt mitigates the Yarom/Falkner flush+reload side-channel attack on RSA secret keys (CVE-2013-4242). Security Issue reference: * CVE-2013-4242 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1352-1 CVE-2013-4242 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | libgcrypt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27177 | |||
Oval ID: | oval:org.mitre.oval:def:27177 | ||
Title: | DEPRECATED: ELSA-2013-1457 -- libgcrypt security update (moderate) | ||
Description: | [1.4.5-11] - fix CVE-2013-4242 GnuPG/libgcrypt susceptible to cache side-channel attack [1.4.5-10] - Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1457 CVE-2013-4242 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libgcrypt |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-05-01 | IAVM : 2014-A-0062 - Multiple Vulnerabilities In McAfee Email Gateway Severity : Category I - VMSKEY : V0050005 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-06-22 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2016-0062.nasl - Type : ACT_GATHER_INFO |
2016-02-22 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL75253136.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_libgcrypt_20140512.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-1527.nasl - Type : ACT_GATHER_INFO |
2014-06-10 | Name : The remote Fedora host is missing a security update. File : fedora_2014-6851.nasl - Type : ACT_GATHER_INFO |
2014-02-23 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201402-24.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1457.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1457.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131024_libgcrypt_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131024_gnupg_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1457.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-01 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-226.nasl - Type : ACT_GATHER_INFO |
2013-10-01 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-225.nasl - Type : ACT_GATHER_INFO |
2013-08-20 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_689c2bf7070111e39a25002590860428.nasl - Type : ACT_GATHER_INFO |
2013-08-16 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libgcrypt-130813.nasl - Type : ACT_GATHER_INFO |
2013-08-15 | Name : The remote Fedora host is missing a security update. File : fedora_2013-13940.nasl - Type : ACT_GATHER_INFO |
2013-08-10 | Name : The remote Fedora host is missing a security update. File : fedora_2013-13975.nasl - Type : ACT_GATHER_INFO |
2013-08-05 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-215-01.nasl - Type : ACT_GATHER_INFO |
2013-08-02 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-205.nasl - Type : ACT_GATHER_INFO |
2013-08-02 | Name : The remote Fedora host is missing a security update. File : fedora_2013-13678.nasl - Type : ACT_GATHER_INFO |
2013-08-02 | Name : The remote Fedora host is missing a security update. File : fedora_2013-13671.nasl - Type : ACT_GATHER_INFO |
2013-08-01 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1923-1.nasl - Type : ACT_GATHER_INFO |
2013-07-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2731.nasl - Type : ACT_GATHER_INFO |
2013-07-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2730.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:57:31 |
|
2013-10-24 21:21:43 |
|