Vulnerability Details : CVE-2014-5270

Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.

Vulnerability category: Information leak

Published 2014-10-10 01:55:10

Updated 2017-11-04 01:29:01

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2014-5270

Probability of exploitation activity in the next 30 days: 0.10%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 39 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2014-5270

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
2.1	LOW	AV:L/AC:L/Au:N/C:P/I:N/A:N	3.9	2.9	nvd@nist.gov
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

CWE ids for CVE-2014-5270

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2014-5270

http://www.cs.tau.ac.il/~tromer/handsoff/

Get Your Hands Off My Laptop
Technical Description
http://www.debian.org/security/2014/dsa-3073

Debian -- Security Information -- DSA-3073-1 libgcrypt11
Third Party Advisory
http://www.debian.org/security/2014/dsa-3024

Debian -- Security Information -- DSA-3024-1 gnupg
http://lists.gnupg.org/pipermail/gnupg-announce/2014q3/000352.html

[Announce] [security fix] Libgcrypt and GnuPG
Patch;Vendor Advisory
http://openwall.com/lists/oss-security/2014/08/16/2

oss-security - Re: CVE request: libgcrypt, ELGAMAL side-channel attack
Mailing List;Third Party Advisory

Products affected by CVE-2014-5270

Debian » Debian Linux » Version: 7.0
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
Matching versions
Gnupg » Libgcrypt
Versions up to, including, (<=) 1.5.3
cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*
Matching versions
Gnupg » Libgcrypt » Version: 1.4.0
cpe:2.3:a:gnupg:libgcrypt:1.4.0:*:*:*:*:*:*:*
Matching versions
Gnupg » Libgcrypt » Version: 1.4.6
cpe:2.3:a:gnupg:libgcrypt:1.4.6:*:*:*:*:*:*:*
Matching versions
Gnupg » Libgcrypt » Version: 1.4.5
cpe:2.3:a:gnupg:libgcrypt:1.4.5:*:*:*:*:*:*:*
Matching versions
Gnupg » Libgcrypt » Version: 1.5.1
cpe:2.3:a:gnupg:libgcrypt:1.5.1:*:*:*:*:*:*:*
Matching versions
Gnupg » Libgcrypt » Version: 1.5.0
cpe:2.3:a:gnupg:libgcrypt:1.5.0:*:*:*:*:*:*:*
Matching versions
Gnupg » Libgcrypt » Version: 1.4.4
cpe:2.3:a:gnupg:libgcrypt:1.4.4:*:*:*:*:*:*:*
Matching versions
Gnupg » Libgcrypt » Version: 1.4.3
cpe:2.3:a:gnupg:libgcrypt:1.4.3:*:*:*:*:*:*:*
Matching versions
Gnupg » Libgcrypt » Version: 1.5.2
cpe:2.3:a:gnupg:libgcrypt:1.5.2:*:*:*:*:*:*:*
Matching versions