Vulnerability Details : CVE-2014-5270
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
Vulnerability category: Information leak
Products affected by CVE-2014-5270
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.5.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-5270
0.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 42 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-5270
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2014-5270
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-5270
-
http://www.cs.tau.ac.il/~tromer/handsoff/
Get Your Hands Off My LaptopTechnical Description
-
http://www.debian.org/security/2014/dsa-3073
Debian -- Security Information -- DSA-3073-1 libgcrypt11Third Party Advisory
-
http://www.debian.org/security/2014/dsa-3024
Debian -- Security Information -- DSA-3024-1 gnupg
-
http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html
[Announce] [security fix] Libgcrypt and GnuPGPatch;Vendor Advisory
-
http://openwall.com/lists/oss-security/2014/08/16/2
oss-security - Re: CVE request: libgcrypt, ELGAMAL side-channel attackMailing List;Third Party Advisory
Jump to