Vulnerability Details : CVE-2015-7511
Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.
Vulnerability category: Information leak
Exploit prediction scoring system (EPSS) score for CVE-2015-7511
Probability of exploitation activity in the next 30 days: 0.21%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 58 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-7511
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
1.9
|
LOW | AV:L/AC:M/Au:N/C:P/I:N/A:N |
3.4
|
2.9
|
nvd@nist.gov |
|
2.0
|
LOW | CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
0.5
|
1.4
|
nvd@nist.gov |
CWE ids for CVE-2015-7511
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-7511
-
http://www.debian.org/security/2016/dsa-3478
Debian -- Security Information -- DSA-3478-1 libgcrypt11
-
https://security.gentoo.org/glsa/201610-04
libgcrypt: Multiple vulnerabilities (GLSA 201610-04) — Gentoo security
-
http://www.ubuntu.com/usn/USN-2896-1
USN-2896-1: Libgcrypt vulnerability | Ubuntu security notices
-
http://www.debian.org/security/2016/dsa-3474
Debian -- Security Information -- DSA-3474-1 libgcrypt20
-
https://lists.gnupg.org/pipermail/gnupg-announce/2016q1/000384.html
[Announce] Libgcrypt 1.6.5 with security fix releasedVendor Advisory
-
http://www.cs.tau.ac.IL/~tromer/ecdh/
ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
-
http://www.securityfocus.com/bid/83253
GNU Libgcrypt CVE-2015-7511 Security Bypass Vulnerability
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W2IL4PAEICHGA2XMQYRY3MIWHM4GMPAG/
[SECURITY] Fedora 24 Update: libgcrypt-1.6.5-1.fc24 - package-announce - Fedora Mailing-Lists
-
http://lists.opensuse.org/opensuse-updates/2016-05/msg00027.html
openSUSE-SU-2016:1227-1: moderate: Security update for libgcrypt
Products affected by CVE-2015-7511
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*