Executive Summary
Summary | |
---|---|
Title | L3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attack |
Informations | |||
---|---|---|---|
Name | VU#976534 | First vendor Publication | 2013-10-01 |
Vendor | VU-CERT | Last vendor Modification | 2013-10-01 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:M/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 1.9 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 3.4 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#976534L3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attackOverviewL3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attack, resulting in information leakage. allowing a local attacker to derive the contents of memory not belonging to the attacker. Description
Impact
Solution
Vendor Information (Learn More)
CVSS Metrics (Learn More)
References
CreditThanks to Yuval Yarom and Katrina Falkner for reporting this vulnerability and for help writing this document. This document was written by Adam Rauf. Other Information
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email. |
Original Source
Url : http://www.kb.cert.org/vuls/id/976534 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17876 | |||
Oval ID: | oval:org.mitre.oval:def:17876 | ||
Title: | USN-1923-1 -- gnupg, libgcrypt11 vulnerability | ||
Description: | GnuPG and Libgcrypt could be made to expose sensitive information. | ||
Family: | unix | Class: | patch |
Reference(s): | USN-1923-1 CVE-2013-4242 | Version: | 7 |
Platform(s): | Ubuntu 13.04 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04 | Product(s): | gnupg libgcrypt11 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18882 | |||
Oval ID: | oval:org.mitre.oval:def:18882 | ||
Title: | DSA-2730-1 gnupg - information leak | ||
Description: | Yarom and Falkner discovered that RSA secret keys could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2730-1 CVE-2013-4242 | Version: | 8 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | gnupg |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:18887 | |||
Oval ID: | oval:org.mitre.oval:def:18887 | ||
Title: | DSA-2731-1 libgcrypt11 - information leak | ||
Description: | Yarom and Falkner discovered that RSA secret keys in applications using the libgcrypt11 library, for example GnuPG 2.x, could be leaked via a side channel attack, where a malicious local user could obtain private key information from another user on the system. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2731-1 CVE-2013-4242 | Version: | 8 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/Linux 7 Debian GNU/kFreeBSD 6.0 Debian GNU/kFreeBSD 7 | Product(s): | libgcrypt11 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:21277 | |||
Oval ID: | oval:org.mitre.oval:def:21277 | ||
Title: | RHSA-2013:1457: libgcrypt security update (Moderate) | ||
Description: | GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2013:1457-00 CESA-2013:1457 CVE-2013-4242 | Version: | 4 |
Platform(s): | Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 CentOS Linux 5 CentOS Linux 6 | Product(s): | libgcrypt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:23444 | |||
Oval ID: | oval:org.mitre.oval:def:23444 | ||
Title: | DEPRECATED: ELSA-2013:1457: libgcrypt security update (Moderate) | ||
Description: | GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1457-00 CVE-2013-4242 | Version: | 7 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libgcrypt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:24005 | |||
Oval ID: | oval:org.mitre.oval:def:24005 | ||
Title: | ELSA-2013:1457: libgcrypt security update (Moderate) | ||
Description: | GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013:1457-00 CVE-2013-4242 | Version: | 6 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libgcrypt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25331 | |||
Oval ID: | oval:org.mitre.oval:def:25331 | ||
Title: | SUSE-SU-2014:0704-1 -- Security update for libgcrypt | ||
Description: | libgcrypt has been updated to fix a cryptographic weakness. * CVE-2013-4242: libgcrypt was affected by the Yarom/Falkner flush+reload side-channel attach on RSA secret keys, that could have potentially leaked the key data to attackers on the same machine. | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2014:0704-1 CVE-2013-4242 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 | Product(s): | libgcrypt |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:25485 | |||
Oval ID: | oval:org.mitre.oval:def:25485 | ||
Title: | SUSE-SU-2013:1352-1 -- Security update for libgcrypt | ||
Description: | This update of libgcrypt mitigates the Yarom/Falkner flush+reload side-channel attack on RSA secret keys (CVE-2013-4242). Security Issue reference: * CVE-2013-4242 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4242 > | ||
Family: | unix | Class: | patch |
Reference(s): | SUSE-SU-2013:1352-1 CVE-2013-4242 | Version: | 3 |
Platform(s): | SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Desktop 11 | Product(s): | libgcrypt |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27177 | |||
Oval ID: | oval:org.mitre.oval:def:27177 | ||
Title: | DEPRECATED: ELSA-2013-1457 -- libgcrypt security update (moderate) | ||
Description: | [1.4.5-11] - fix CVE-2013-4242 GnuPG/libgcrypt susceptible to cache side-channel attack [1.4.5-10] - Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2013-1457 CVE-2013-4242 | Version: | 4 |
Platform(s): | Oracle Linux 5 Oracle Linux 6 | Product(s): | libgcrypt |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2014-05-01 | IAVM : 2014-A-0062 - Multiple Vulnerabilities In McAfee Email Gateway Severity : Category I - VMSKEY : V0050005 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-06-22 | Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2016-0062.nasl - Type : ACT_GATHER_INFO |
2016-02-22 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL75253136.nasl - Type : ACT_GATHER_INFO |
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_libgcrypt_20140512.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2013-1527.nasl - Type : ACT_GATHER_INFO |
2014-06-10 | Name : The remote Fedora host is missing a security update. File : fedora_2014-6851.nasl - Type : ACT_GATHER_INFO |
2014-02-23 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201402-24.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1457.nasl - Type : ACT_GATHER_INFO |
2013-10-27 | Name : The remote CentOS host is missing a security update. File : centos_RHSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1457.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131024_libgcrypt_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131024_gnupg_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1457.nasl - Type : ACT_GATHER_INFO |
2013-10-25 | Name : The remote Oracle Linux host is missing a security update. File : oraclelinux_ELSA-2013-1458.nasl - Type : ACT_GATHER_INFO |
2013-10-01 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-226.nasl - Type : ACT_GATHER_INFO |
2013-10-01 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-225.nasl - Type : ACT_GATHER_INFO |
2013-08-20 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_689c2bf7070111e39a25002590860428.nasl - Type : ACT_GATHER_INFO |
2013-08-16 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_libgcrypt-130813.nasl - Type : ACT_GATHER_INFO |
2013-08-15 | Name : The remote Fedora host is missing a security update. File : fedora_2013-13940.nasl - Type : ACT_GATHER_INFO |
2013-08-10 | Name : The remote Fedora host is missing a security update. File : fedora_2013-13975.nasl - Type : ACT_GATHER_INFO |
2013-08-05 | Name : The remote Slackware host is missing a security update. File : Slackware_SSA_2013-215-01.nasl - Type : ACT_GATHER_INFO |
2013-08-02 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-205.nasl - Type : ACT_GATHER_INFO |
2013-08-02 | Name : The remote Fedora host is missing a security update. File : fedora_2013-13678.nasl - Type : ACT_GATHER_INFO |
2013-08-02 | Name : The remote Fedora host is missing a security update. File : fedora_2013-13671.nasl - Type : ACT_GATHER_INFO |
2013-08-01 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1923-1.nasl - Type : ACT_GATHER_INFO |
2013-07-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2731.nasl - Type : ACT_GATHER_INFO |
2013-07-30 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2730.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2013-10-08 00:23:02 |
|
2013-10-01 17:18:34 |
|