Vulnerability Details : CVE-2013-4242
GnuPG before 1.4.14, and Libgcrypt before 1.5.3 as used in GnuPG 2.0.x and possibly other products, allows local users to obtain private RSA keys via a cache side-channel attack involving the L3 cache, aka Flush+Reload.
Vulnerability category: Information leak
Products affected by CVE-2013-4242
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:2.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.4:-:win32:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.5:-:win32:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.90:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.2.1:windows:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.93:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.91:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:1.3.92:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.2.19:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.8:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.2.16:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.2.15:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.2.18:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.2.17:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:0.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:13.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-4242
0.12%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 47 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-4242
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
NIST |
CWE ids for CVE-2013-4242
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-4242
-
http://www.debian.org/security/2013/dsa-2730
Debian -- Security Information -- DSA-2730-1 gnupg
-
http://www.ubuntu.com/usn/USN-1923-1
USN-1923-1: GnuPG, Libgcrypt vulnerability | Ubuntu security noticesVendor Advisory
-
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
Juniper Networks - 2015-10 Security Bulletin: CTPView: Multiple Vulnerabilities in CTPView
-
http://www.debian.org/security/2013/dsa-2731
Debian -- Security Information -- DSA-2731-1 libgcrypt11
-
http://rhn.redhat.com/errata/RHSA-2013-1457.html
RHSA-2013:1457 - Security Advisory - Red Hat Customer Portal
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717880
#717880 - gnupg: CVE-2013-4242: Yarom/Falkner flush+reload side-channel attack on RSA secret keys - Debian Bug report logs
-
http://www.kb.cert.org/vuls/id/976534
VU#976534 - L3 CPU shared cache architecture is susceptible to a Flush+Reload side-channel attackUS Government Resource
-
http://lists.gnupg.org/pipermail/gnupg-announce/2013q3/000330.html
[Announce] [security fix] GnuPG 1.4.14 released
-
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
Oracle VM Server for x86 Bulletin - July 2016
-
http://eprint.iacr.org/2013/448
Cryptology ePrint Archive: Report 2013/448 - Flush+Reload: a High Resolution, Low Noise, L3 Cache Side-Channel Attack
-
http://lists.opensuse.org/opensuse-updates/2013-08/msg00003.html
openSUSE-SU-2013:1294-1: moderate: libgcrypt: update to 1.5.3Vendor Advisory
-
http://www.securityfocus.com/bid/61464
libgcrypt RSA Secret Keys Information Disclosure Vulnerability
Jump to