Vulnerability Details : CVE-2016-6313
The mixing functions in the random number generator in Libgcrypt before 1.5.6, 1.6.x before 1.6.6, and 1.7.x before 1.7.3 and GnuPG before 1.4.21 make it easier for attackers to obtain the values of 160 bits by leveraging knowledge of the previous 4640 bits.
Vulnerability category: Information leak
Products affected by CVE-2016-6313
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:gnupg:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:*:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:gnupg:libgcrypt:1.6.3:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-6313
0.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 74 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-6313
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST |
CWE ids for CVE-2016-6313
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-6313
-
http://www.securitytracker.com/id/1036635
GnuPG Flaw in Random Number Generator Mixing Functions Lets Users Predict Some Output - SecurityTracker
-
http://www.ubuntu.com/usn/USN-3065-1
USN-3065-1: Libgcrypt vulnerability | Ubuntu security noticesThird Party Advisory
-
https://security.gentoo.org/glsa/201610-04
libgcrypt: Multiple vulnerabilities (GLSA 201610-04) — Gentoo security
-
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob_plain;f=NEWS
Vendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-2674.html
RHSA-2016:2674 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-3064-1
USN-3064-1: GnuPG vulnerability | Ubuntu security noticesThird Party Advisory
-
https://security.gentoo.org/glsa/201612-01
GnuPG: RNG output is predictable (GLSA 201612-01) — Gentoo security
-
https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html
[Announce] Security fixes for Libgcrypt and GnuPG 1.4 [CVE-2016-6316]Mailing List;Vendor Advisory
-
http://www.securityfocus.com/bid/92527
GnuPG and Libgcrypt CVE-2016-6313 Local Predictable Random Number Generator WeaknessThird Party Advisory;VDB Entry
-
http://www.debian.org/security/2016/dsa-3650
Debian -- Security Information -- DSA-3650-1 libgcrypt20Third Party Advisory
-
http://www.debian.org/security/2016/dsa-3649
Debian -- Security Information -- DSA-3649-1 gnupgThird Party Advisory
Jump to